@cybermem/cli 0.6.9 → 0.6.13

package/dist/commands/deploy.js

@@ -229,7 +229,7 @@ async function deploy(options) {
         }
       `));
             console.log(chalk_1.default.gray('      - Restart: sudo systemctl restart caddy'));
-            console.log(chalk_1.default.green('\n📚 Full docs: https://cybermem.dev/docs#https'));
+            console.log(chalk_1.default.green('\n📚 Full docs: https://docs.cybermem.dev#https'));
         }
     }
     catch (error) {

package/dist/templates/auth-sidecar/Dockerfile

@@ -0,0 +1,5 @@
+FROM node:20-alpine
+WORKDIR /app
+COPY server.js .
+EXPOSE 3001
+CMD ["node", "server.js"]

package/dist/templates/auth-sidecar/server.js

@@ -0,0 +1,159 @@
+/**
+ * CyberMem Auth Sidecar
+ *
+ * ForwardAuth service for Traefik that validates:
+ * 1. JWT tokens (RS256) with embedded public key
+ * 2. API keys (X-API-Key header) - deprecated fallback
+ * 3. Local requests (localhost bypass)
+ *
+ * NO SECRETS REQUIRED - public key is embedded.
+ */
+
+const http = require("http");
+const fs = require("fs");
+const crypto = require("crypto");
+
+const PORT = process.env.PORT || 3001;
+const API_KEY_FILE = process.env.API_KEY_FILE || "/.env";
+
+// RSA Public Key for JWT verification (embedded - no secrets!)
+const PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkrWPslHt+dcX/lckX4mw
+AaI4koCqn7NqEkTtuyJuzFv969Da0ghhWdTIRR6H8pYfsTtqtX2UAZox8i5IJ9t9
+JS8nBfbL2fFiuEz51LMNKMSLw7j2dJT/g5iIdT64LyJZ/9+kLMXC
+EBWPIyEvx4GMzKSf2L+jNaUY/0J8n/JNAbKtIplKtfOU/tNWuoZfcj3SnoxrmApN
+Xw+LsE26EM2Gq7MKLQf3r3GUIm2dBgs7XUNJRiezrPgFzekiaiDyFsNhhk1jkx2I
+ljQgSslGQ4dODE73KB07b0Qi7zPWAtGlCyDQD5RLICzht1mMENta7x+TlPJfDv8g
+XeEmW5ihAgMBAAE=
+-----END PUBLIC KEY-----`;
+
+// Load API key from file (deprecated fallback)
+function loadApiKey() {
+  try {
+    const content = fs.readFileSync(API_KEY_FILE, "utf-8");
+    const match = content.match(/OM_API_KEY=(.+)/);
+    return match ? match[1].trim() : null;
+  } catch {
+    return null;
+  }
+}
+
+// RS256 JWT validation
+function validateJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+
+    // Decode header to check algorithm
+    const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+    if (header.alg !== "RS256") {
+      console.log("JWT: unsupported algorithm", header.alg);
+      return null;
+    }
+
+    // Verify RS256 signature
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = Buffer.from(signatureB64, "base64url");
+
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(data);
+
+    if (!verify.verify(PUBLIC_KEY, signature)) {
+      console.log("JWT: signature verification failed");
+      return null;
+    }
+
+    // Decode payload
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Date.now() / 1000) {
+      console.log("JWT: token expired");
+      return null;
+    }
+
+    // Check issuer
+    if (payload.iss !== "cybermem.dev") {
+      console.log("JWT: invalid issuer", payload.iss);
+      return null;
+    }
+
+    return payload;
+  } catch (err) {
+    console.log("JWT validation error:", err.message);
+    return null;
+  }
+}
+
+// Check if request is from localhost
+function isLocalRequest(req) {
+  const forwarded = req.headers["x-forwarded-for"];
+  const realIp = req.headers["x-real-ip"];
+  const ip = forwarded?.split(",")[0] || realIp || req.socket.remoteAddress;
+
+  return ip === "127.0.0.1" || ip === "::1" || ip === "localhost";
+}
+
+// ForwardAuth handler
+const server = http.createServer((req, res) => {
+  // Health check
+  if (req.url === "/health") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
+    return;
+  }
+
+  const authHeader = req.headers["authorization"];
+  const apiKeyHeader = req.headers["x-api-key"];
+
+  // 1. Check JWT (Authorization: Bearer <token>)
+  if (authHeader?.startsWith("Bearer ")) {
+    const token = authHeader.substring(7);
+    const payload = validateJwt(token);
+
+    if (payload) {
+      console.log(`Auth OK: JWT (${payload.email || payload.sub})`);
+      res.writeHead(200, {
+        "X-User-Id": payload.sub || "",
+        "X-User-Email": payload.email || "",
+        "X-User-Name": payload.name || "",
+        "X-Auth-Method": "jwt",
+      });
+      res.end();
+      return;
+    }
+  }
+
+  // 2. Check API Key (deprecated fallback)
+  const expectedKey = loadApiKey();
+  if (apiKeyHeader && expectedKey && apiKeyHeader === expectedKey) {
+    console.log("Auth OK: API Key (deprecated)");
+    res.writeHead(200, {
+      "X-Auth-Method": "api-key",
+      "X-Auth-Deprecated": "true",
+    });
+    res.end();
+    return;
+  }
+
+  // 3. Local bypass (development)
+  if (isLocalRequest(req)) {
+    console.log("Auth OK: Local bypass");
+    res.writeHead(200, {
+      "X-Auth-Method": "local",
+    });
+    res.end();
+    return;
+  }
+
+  // 4. Unauthorized
+  console.log("Auth FAILED: No valid credentials");
+  res.writeHead(401, { "Content-Type": "application/json" });
+  res.end(JSON.stringify({ error: "Unauthorized" }));
+});
+
+server.listen(PORT, () => {
+  console.log(`Auth sidecar (RS256) listening on port ${PORT}`);
+});

package/dist/templates/docker-compose.yml

@@ -26,61 +26,41 @@ services:
       - traefik.enable=true
     restart: unless-stopped
 
-  # Workaround: responds 200 on GET /mcp for Perplexity validation
-  mcp-responder:
-    build:
-      context: ./mcp-responder
-      dockerfile: Dockerfile
-    container_name: cybermem-mcp-responder
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.mcp-get.entrypoints=web
-      - traefik.http.routers.mcp-get.rule=Method(`GET`) && Path(`/mcp`)
-      - traefik.http.routers.mcp-get.priority=200
-      - traefik.http.services.mcp-get.loadbalancer.server.port=8081
+  # MCP Server (Node.js/SDK)
+  mcp-server:
+    image: ghcr.io/mikhailkogan17/cybermem-mcp:latest
     restart: unless-stopped
-
-  openmemory:
-    build:
-      context: ./openmemory
-      dockerfile: Dockerfile
-    container_name: cybermem-openmemory
-    ports: [] # Access via Traefik on 8626
+    container_name: cybermem-mcp
+    environment:
+      PORT: "8080"
+      OM_DB_PATH: /data/openmemory.sqlite
     volumes:
-      - openmemory-data:/data
-      - ${CYBERMEM_ENV_PATH}:/.env
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env
+      - ${HOME}/.cybermem/data:/data
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mcp.rule=Host(`raspberrypi.local`) && (PathPrefix(`/mcp`) || PathPrefix(`/sse`))
+      - traefik.http.routers.mcp.entrypoints=web
+      - traefik.http.services.mcp.loadbalancer.server.port=8080
+      # Legacy API support (for simple REST clients)
+      - traefik.http.routers.legacy-api.rule=Host(`raspberrypi.local`) && (PathPrefix(`/add`) || PathPrefix(`/query`) || PathPrefix(`/all`))
+      - traefik.http.routers.legacy-api.entrypoints=web
+      - traefik.http.services.legacy-api.loadbalancer.server.port=8080
+
+  # Auth sidecar for JWT/API key validation (ForwardAuth)
+  auth-sidecar:
+    image: ghcr.io/mikhailkogan17/cybermem-auth-sidecar:latest
+    container_name: cybermem-auth-sidecar
     environment:
-      # Core settings
-      OM_PORT: "8080"
-      OM_TIER: "deep"
-      # API Key is loaded from /.env file
-
-      # Embeddings (local dev uses Ollama)
-      OM_EMBEDDINGS: ${EMBEDDINGS_PROVIDER:-ollama}
-      OLLAMA_URL: ${OLLAMA_URL:-http://ollama:11434}
-      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
-
-      # Database (local dev uses SQLite)
-      OM_METADATA_BACKEND: ${DB_BACKEND:-sqlite}
-      OM_DB_PATH: ${DB_PATH:-/data/openmemory.sqlite}
-      OM_VECTOR_BACKEND: ${VECTOR_BACKEND:-sqlite}
-
-      # PostgreSQL (for production/testing)
-      OM_PG_HOST: ${PG_HOST:-postgres}
-      OM_PG_PORT: ${PG_PORT:-5432}
-      OM_PG_DB: ${PG_DB:-openmemory}
-      OM_PG_USER: ${PG_USER:-openmemory}
-      OM_PG_PASSWORD: ${PG_PASSWORD:-}
-
-      # Performance
-      OM_RATE_LIMIT_ENABLED: "true"
-      OM_RATE_LIMIT_MAX_REQUESTS: "1000"
-
+      PORT: "3001"
+      API_KEY_FILE: /.env
+    volumes:
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env:ro
     labels:
       - traefik.enable=true
-      - traefik.http.routers.openmemory.entrypoints=web
-      - traefik.http.routers.openmemory.rule=PathPrefix(`/memory`) || PathPrefix(`/health`) || PathPrefix(`/v1`) || PathPrefix(`/api`) || PathPrefix(`/all`) || PathPrefix(`/add`) || PathPrefix(`/sse`)
-      - traefik.http.services.openmemory.loadbalancer.server.port=8080
+      # ForwardAuth middleware
+      - traefik.http.middlewares.auth-check.forwardauth.address=http://auth-sidecar:3001/auth
+      - traefik.http.middlewares.auth-check.forwardauth.authResponseHeaders=X-User-Id,X-User-Email,X-User-Name,X-Auth-Method
     healthcheck:
       test:
         [
@@ -89,15 +69,16 @@ services:
           "--quiet",
           "--tries=1",
           "--spider",
-          "http://localhost:8080/health",
+          "http://localhost:3001/health",
         ]
       interval: 30s
-      timeout: 10s
+      timeout: 5s
       retries: 3
-      start_period: 40s
     restart: unless-stopped
-    depends_on:
-      - traefik
+
+  # NOTE: openmemory container REMOVED
+  # Memory now handled by @cybermem/mcp with embedded openmemory-js SDK
+  # SQLite stored at ~/.cybermem/data/openmemory.sqlite
 
   db-exporter:
     image: ghcr.io/mikhailkogan17/cybermem-db_exporter:latest
@@ -109,10 +90,9 @@ services:
     ports:
       - "8000:8000"
     volumes:
-      - openmemory-data:/data:ro
+      # Mount host openmemory data dir (created by SDK)
+      - ${HOME}/.cybermem/data:/data
     restart: unless-stopped
-    depends_on:
-      - openmemory
 
   log-exporter:
     image: ghcr.io/mikhailkogan17/cybermem-log_exporter:latest
@@ -124,12 +104,11 @@ services:
       DB_PATH: /data/openmemory.sqlite
     volumes:
       - traefik-logs:/var/log/traefik:ro
-      - openmemory-data:/data
+      - ${HOME}/.cybermem/data:/data
       - ./monitoring/log_exporter/exporter.py:/app/exporter.py:ro
     restart: unless-stopped
     depends_on:
       - traefik
-      - openmemory
 
   postgres:
     image: postgres:15-alpine
@@ -200,6 +179,7 @@ services:
     image: ghcr.io/mikhailkogan17/cybermem-dashboard:latest
     container_name: cybermem-dashboard
     environment:
+      DB_EXPORTER_URL: http://db-exporter:8000
       NEXT_PUBLIC_PROMETHEUS_URL: http://prometheus:9090
       PROMETHEUS_URL: http://prometheus:9090
       OM_API_KEY: ${OM_API_KEY:-dev-secret-key}
@@ -209,7 +189,7 @@ services:
     volumes:
       - openmemory-data:/data
       - /var/run/docker.sock:/var/run/docker.sock
-      - ${CYBERMEM_ENV_PATH}:/app/shared.env
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/app/shared.env
     labels:
       - traefik.enable=true
       # Dashboard route: /cybermem -> dashboard on port 3000
@@ -221,6 +201,7 @@ services:
     restart: unless-stopped
     depends_on:
       - prometheus
+      - db-exporter
 
 volumes:
   openmemory-data:

package/dist/templates/monitoring/db_exporter/exporter.py

@@ -78,10 +78,19 @@ success_rate_aggregate = Gauge(
 )
 
 
-def get_db_connection():
-    """Get SQLite database connection."""
+def get_db_connection(readonly=True):
+    """Get SQLite database connection.
+
+    For WAL mode databases, we need read-write access to perform checkpoint
+    and see the latest data.
+    """
     try:
-        conn = sqlite3.connect(DB_PATH)
+        if readonly:
+            # Read-only mode for metrics queries
+            conn = sqlite3.connect(f"file:{DB_PATH}?mode=ro", uri=True, timeout=10.0)
+        else:
+            # Read-write mode for checkpoint operations
+            conn = sqlite3.connect(DB_PATH, timeout=10.0)
         conn.row_factory = sqlite3.Row
         return conn
     except Exception as e:
@@ -89,6 +98,19 @@ def get_db_connection():
         raise
 
 
+def do_wal_checkpoint():
+    """Perform WAL checkpoint to flush data to main database file."""
+    try:
+        conn = get_db_connection(readonly=False)
+        result = conn.execute("PRAGMA wal_checkpoint(PASSIVE)").fetchone()
+        conn.close()
+        logger.debug(f"WAL checkpoint result: {result}")
+        return True
+    except Exception as e:
+        logger.warning(f"WAL checkpoint failed (read-only volume?): {e}")
+        return False
+
+
 def collect_metrics():
     """Collect all metrics from OpenMemory database."""
     try:
@@ -280,6 +302,19 @@ def metrics():
     return Response(generate_latest(), mimetype=CONTENT_TYPE_LATEST)
 
 
+@app.route("/health")
+def health():
+    """Health check endpoint for dashboard"""
+    try:
+        db = get_db_connection()
+        cursor = db.cursor()
+        cursor.execute("SELECT 1")
+        db.close()
+        return jsonify({"status": "ok", "db": "connected"})
+    except Exception as e:
+        return jsonify({"status": "error", "error": str(e)}), 503
+
+
 @app.route("/api/logs")
 def api_logs():
     """Access logs API endpoint"""
@@ -401,88 +436,92 @@ def api_stats():
 
 @app.route("/api/timeseries")
 def api_timeseries():
-    """Time series data for dashboard charts - bucketed by hour"""
+    """Time series data for dashboard charts - cumulative totals with exact timestamps"""
     try:
         period = request.args.get("period", "24h")
 
-        # Parse period to milliseconds
+        # Parse period to seconds
         period_map = {"1h": 3600, "24h": 86400, "7d": 604800, "30d": 2592000}
         period_seconds = period_map.get(period, 86400)
         start_ms = int((time.time() - period_seconds) * 1000)
-
-        # Bucket size: 1h for 24h, 6h for 7d, 1d for 30d
-        if period in ["1h", "24h"]:
-            bucket_format = "%Y-%m-%d %H:00"
-            bucket_seconds = 3600
-        elif period == "7d":
-            bucket_format = "%Y-%m-%d %H:00"
-            bucket_seconds = 21600  # 6 hours
-        else:
-            bucket_format = "%Y-%m-%d"
-            bucket_seconds = 86400
+        now_ms = int(time.time() * 1000)
 
         db = get_db_connection()
         cursor = db.cursor()
 
-        # Get operations grouped by time bucket and client
+        # Get all events in the period, ordered by timestamp
         cursor.execute(
             """
             SELECT
-                datetime(timestamp/1000, 'unixepoch', 'localtime') as dt,
+                timestamp,
                 client_name,
-                operation,
-                COUNT(*) as count
+                operation
             FROM cybermem_access_log
             WHERE timestamp >= ?
-            GROUP BY strftime(?, datetime(timestamp/1000, 'unixepoch', 'localtime')), client_name, operation
-            ORDER BY dt
+            ORDER BY timestamp ASC
         """,
-            [start_ms, bucket_format],
+            [start_ms],
         )
 
-        # Organize by operation type
-        creates = {}
-        reads = {}
-        updates = {}
-        deletes = {}
+        rows = cursor.fetchall()
+        db.close()
 
-        for row in cursor.fetchall():
-            dt = row["dt"]
+        # Map operations to chart categories
+        def get_op_key(op):
+            if op == "create":
+                return "creates"
+            if op in ["read", "list", "query", "search", "other"]:
+                return "reads"
+            if op == "update":
+                return "updates"
+            if op == "delete":
+                return "deletes"
+            return None
+
+        # Build cumulative data structures
+        # Each chart will have list of {time, client1: cumulative_count, client2: cumulative_count, ...}
+        results = {"creates": [], "reads": [], "updates": [], "deletes": []}
+
+        # Track running totals per client per operation type
+        running_totals = {"creates": {}, "reads": {}, "updates": {}, "deletes": {}}
+
+        # Add initial zero point at period start
+        start_ts = start_ms // 1000
+        for op_key in results:
+            results[op_key].append({"time": start_ts})
+
+        # Process each event and build cumulative series
+        for row in rows:
+            ts = row["timestamp"] // 1000  # Convert to seconds
             client = row["client_name"] or "unknown"
             op = row["operation"]
-            count = row["count"]
+            op_key = get_op_key(op)
 
-            # Round to bucket
-            ts = int(time.mktime(time.strptime(dt, "%Y-%m-%d %H:%M:%S")))
-            bucket_ts = (ts // bucket_seconds) * bucket_seconds
+            if not op_key:
+                continue
 
-            if op == "create":
-                if bucket_ts not in creates:
-                    creates[bucket_ts] = {"time": bucket_ts}
-                creates[bucket_ts][client] = creates[bucket_ts].get(client, 0) + count
-            elif op in ["read", "list", "query", "search", "other"]:
-                if bucket_ts not in reads:
-                    reads[bucket_ts] = {"time": bucket_ts}
-                reads[bucket_ts][client] = reads[bucket_ts].get(client, 0) + count
-            elif op == "update":
-                if bucket_ts not in updates:
-                    updates[bucket_ts] = {"time": bucket_ts}
-                updates[bucket_ts][client] = updates[bucket_ts].get(client, 0) + count
-            elif op == "delete":
-                if bucket_ts not in deletes:
-                    deletes[bucket_ts] = {"time": bucket_ts}
-                deletes[bucket_ts][client] = deletes[bucket_ts].get(client, 0) + count
+            # Increment running total for this client
+            if client not in running_totals[op_key]:
+                running_totals[op_key][client] = 0
+            running_totals[op_key][client] += 1
 
-        db.close()
+            # Create a data point with current cumulative state
+            point = {"time": ts}
+            for c, count in running_totals[op_key].items():
+                point[c] = count
 
-        return jsonify(
-            {
-                "creates": list(creates.values()),
-                "reads": list(reads.values()),
-                "updates": list(updates.values()),
-                "deletes": list(deletes.values()),
-            }
-        )
+            results[op_key].append(point)
+
+        # Add final point at "now" with same totals
+        now_ts = now_ms // 1000
+        for op_key in results:
+            if running_totals[op_key]:
+                final_point = {"time": now_ts}
+                for c, count in running_totals[op_key].items():
+                    final_point[c] = count
+                results[op_key].append(final_point)
+
+        return jsonify(results)
     except Exception as e:
         logger.error(f"Error in /api/timeseries: {e}", exc_info=True)
         return jsonify({"error": str(e)}), 500
@@ -493,6 +532,8 @@ def metrics_collection_loop():
     logger.info("Starting metrics collection loop")
     while True:
         try:
+            # Checkpoint WAL to ensure we see latest data
+            do_wal_checkpoint()
             collect_metrics()
             time.sleep(SCRAPE_INTERVAL)
         except Exception as e:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cybermem/cli",
-  "version": "0.6.9",
+  "version": "0.6.13",
   "description": "CyberMem — Universal Long-Term Memory for AI Agents",
   "homepage": "https://cybermem.dev",
   "repository": {

package/templates/auth-sidecar/Dockerfile

@@ -0,0 +1,5 @@
+FROM node:20-alpine
+WORKDIR /app
+COPY server.js .
+EXPOSE 3001
+CMD ["node", "server.js"]

package/templates/auth-sidecar/server.js

@@ -0,0 +1,159 @@
+/**
+ * CyberMem Auth Sidecar
+ *
+ * ForwardAuth service for Traefik that validates:
+ * 1. JWT tokens (RS256) with embedded public key
+ * 2. API keys (X-API-Key header) - deprecated fallback
+ * 3. Local requests (localhost bypass)
+ *
+ * NO SECRETS REQUIRED - public key is embedded.
+ */
+
+const http = require("http");
+const fs = require("fs");
+const crypto = require("crypto");
+
+const PORT = process.env.PORT || 3001;
+const API_KEY_FILE = process.env.API_KEY_FILE || "/.env";
+
+// RSA Public Key for JWT verification (embedded - no secrets!)
+const PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkrWPslHt+dcX/lckX4mw
+AaI4koCqn7NqEkTtuyJuzFv969Da0ghhWdTIRR6H8pYfsTtqtX2UAZox8i5IJ9t9
+JS8nBfbL2fFiuEz51LMNKMSLw7j2dJT/g5iIdT64LyJZ/9+kLMXC
+EBWPIyEvx4GMzKSf2L+jNaUY/0J8n/JNAbKtIplKtfOU/tNWuoZfcj3SnoxrmApN
+Xw+LsE26EM2Gq7MKLQf3r3GUIm2dBgs7XUNJRiezrPgFzekiaiDyFsNhhk1jkx2I
+ljQgSslGQ4dODE73KB07b0Qi7zPWAtGlCyDQD5RLICzht1mMENta7x+TlPJfDv8g
+XeEmW5ihAgMBAAE=
+-----END PUBLIC KEY-----`;
+
+// Load API key from file (deprecated fallback)
+function loadApiKey() {
+  try {
+    const content = fs.readFileSync(API_KEY_FILE, "utf-8");
+    const match = content.match(/OM_API_KEY=(.+)/);
+    return match ? match[1].trim() : null;
+  } catch {
+    return null;
+  }
+}
+
+// RS256 JWT validation
+function validateJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+
+    // Decode header to check algorithm
+    const header = JSON.parse(Buffer.from(headerB64, "base64url").toString());
+    if (header.alg !== "RS256") {
+      console.log("JWT: unsupported algorithm", header.alg);
+      return null;
+    }
+
+    // Verify RS256 signature
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = Buffer.from(signatureB64, "base64url");
+
+    const verify = crypto.createVerify("RSA-SHA256");
+    verify.update(data);
+
+    if (!verify.verify(PUBLIC_KEY, signature)) {
+      console.log("JWT: signature verification failed");
+      return null;
+    }
+
+    // Decode payload
+    const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Date.now() / 1000) {
+      console.log("JWT: token expired");
+      return null;
+    }
+
+    // Check issuer
+    if (payload.iss !== "cybermem.dev") {
+      console.log("JWT: invalid issuer", payload.iss);
+      return null;
+    }
+
+    return payload;
+  } catch (err) {
+    console.log("JWT validation error:", err.message);
+    return null;
+  }
+}
+
+// Check if request is from localhost
+function isLocalRequest(req) {
+  const forwarded = req.headers["x-forwarded-for"];
+  const realIp = req.headers["x-real-ip"];
+  const ip = forwarded?.split(",")[0] || realIp || req.socket.remoteAddress;
+
+  return ip === "127.0.0.1" || ip === "::1" || ip === "localhost";
+}
+
+// ForwardAuth handler
+const server = http.createServer((req, res) => {
+  // Health check
+  if (req.url === "/health") {
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
+    return;
+  }
+
+  const authHeader = req.headers["authorization"];
+  const apiKeyHeader = req.headers["x-api-key"];
+
+  // 1. Check JWT (Authorization: Bearer <token>)
+  if (authHeader?.startsWith("Bearer ")) {
+    const token = authHeader.substring(7);
+    const payload = validateJwt(token);
+
+    if (payload) {
+      console.log(`Auth OK: JWT (${payload.email || payload.sub})`);
+      res.writeHead(200, {
+        "X-User-Id": payload.sub || "",
+        "X-User-Email": payload.email || "",
+        "X-User-Name": payload.name || "",
+        "X-Auth-Method": "jwt",
+      });
+      res.end();
+      return;
+    }
+  }
+
+  // 2. Check API Key (deprecated fallback)
+  const expectedKey = loadApiKey();
+  if (apiKeyHeader && expectedKey && apiKeyHeader === expectedKey) {
+    console.log("Auth OK: API Key (deprecated)");
+    res.writeHead(200, {
+      "X-Auth-Method": "api-key",
+      "X-Auth-Deprecated": "true",
+    });
+    res.end();
+    return;
+  }
+
+  // 3. Local bypass (development)
+  if (isLocalRequest(req)) {
+    console.log("Auth OK: Local bypass");
+    res.writeHead(200, {
+      "X-Auth-Method": "local",
+    });
+    res.end();
+    return;
+  }
+
+  // 4. Unauthorized
+  console.log("Auth FAILED: No valid credentials");
+  res.writeHead(401, { "Content-Type": "application/json" });
+  res.end(JSON.stringify({ error: "Unauthorized" }));
+});
+
+server.listen(PORT, () => {
+  console.log(`Auth sidecar (RS256) listening on port ${PORT}`);
+});

package/templates/docker-compose.yml

@@ -26,61 +26,41 @@ services:
       - traefik.enable=true
     restart: unless-stopped
 
-  # Workaround: responds 200 on GET /mcp for Perplexity validation
-  mcp-responder:
-    build:
-      context: ./mcp-responder
-      dockerfile: Dockerfile
-    container_name: cybermem-mcp-responder
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.mcp-get.entrypoints=web
-      - traefik.http.routers.mcp-get.rule=Method(`GET`) && Path(`/mcp`)
-      - traefik.http.routers.mcp-get.priority=200
-      - traefik.http.services.mcp-get.loadbalancer.server.port=8081
+  # MCP Server (Node.js/SDK)
+  mcp-server:
+    image: ghcr.io/mikhailkogan17/cybermem-mcp:latest
     restart: unless-stopped
-
-  openmemory:
-    build:
-      context: ./openmemory
-      dockerfile: Dockerfile
-    container_name: cybermem-openmemory
-    ports: [] # Access via Traefik on 8626
+    container_name: cybermem-mcp
+    environment:
+      PORT: "8080"
+      OM_DB_PATH: /data/openmemory.sqlite
     volumes:
-      - openmemory-data:/data
-      - ${CYBERMEM_ENV_PATH}:/.env
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env
+      - ${HOME}/.cybermem/data:/data
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.mcp.rule=Host(`raspberrypi.local`) && (PathPrefix(`/mcp`) || PathPrefix(`/sse`))
+      - traefik.http.routers.mcp.entrypoints=web
+      - traefik.http.services.mcp.loadbalancer.server.port=8080
+      # Legacy API support (for simple REST clients)
+      - traefik.http.routers.legacy-api.rule=Host(`raspberrypi.local`) && (PathPrefix(`/add`) || PathPrefix(`/query`) || PathPrefix(`/all`))
+      - traefik.http.routers.legacy-api.entrypoints=web
+      - traefik.http.services.legacy-api.loadbalancer.server.port=8080
+
+  # Auth sidecar for JWT/API key validation (ForwardAuth)
+  auth-sidecar:
+    image: ghcr.io/mikhailkogan17/cybermem-auth-sidecar:latest
+    container_name: cybermem-auth-sidecar
     environment:
-      # Core settings
-      OM_PORT: "8080"
-      OM_TIER: "deep"
-      # API Key is loaded from /.env file
-
-      # Embeddings (local dev uses Ollama)
-      OM_EMBEDDINGS: ${EMBEDDINGS_PROVIDER:-ollama}
-      OLLAMA_URL: ${OLLAMA_URL:-http://ollama:11434}
-      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
-
-      # Database (local dev uses SQLite)
-      OM_METADATA_BACKEND: ${DB_BACKEND:-sqlite}
-      OM_DB_PATH: ${DB_PATH:-/data/openmemory.sqlite}
-      OM_VECTOR_BACKEND: ${VECTOR_BACKEND:-sqlite}
-
-      # PostgreSQL (for production/testing)
-      OM_PG_HOST: ${PG_HOST:-postgres}
-      OM_PG_PORT: ${PG_PORT:-5432}
-      OM_PG_DB: ${PG_DB:-openmemory}
-      OM_PG_USER: ${PG_USER:-openmemory}
-      OM_PG_PASSWORD: ${PG_PASSWORD:-}
-
-      # Performance
-      OM_RATE_LIMIT_ENABLED: "true"
-      OM_RATE_LIMIT_MAX_REQUESTS: "1000"
-
+      PORT: "3001"
+      API_KEY_FILE: /.env
+    volumes:
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/.env:ro
     labels:
       - traefik.enable=true
-      - traefik.http.routers.openmemory.entrypoints=web
-      - traefik.http.routers.openmemory.rule=PathPrefix(`/memory`) || PathPrefix(`/health`) || PathPrefix(`/v1`) || PathPrefix(`/api`) || PathPrefix(`/all`) || PathPrefix(`/add`) || PathPrefix(`/sse`)
-      - traefik.http.services.openmemory.loadbalancer.server.port=8080
+      # ForwardAuth middleware
+      - traefik.http.middlewares.auth-check.forwardauth.address=http://auth-sidecar:3001/auth
+      - traefik.http.middlewares.auth-check.forwardauth.authResponseHeaders=X-User-Id,X-User-Email,X-User-Name,X-Auth-Method
     healthcheck:
       test:
         [
@@ -89,15 +69,16 @@ services:
           "--quiet",
           "--tries=1",
           "--spider",
-          "http://localhost:8080/health",
+          "http://localhost:3001/health",
         ]
       interval: 30s
-      timeout: 10s
+      timeout: 5s
       retries: 3
-      start_period: 40s
     restart: unless-stopped
-    depends_on:
-      - traefik
+
+  # NOTE: openmemory container REMOVED
+  # Memory now handled by @cybermem/mcp with embedded openmemory-js SDK
+  # SQLite stored at ~/.cybermem/data/openmemory.sqlite
 
   db-exporter:
     image: ghcr.io/mikhailkogan17/cybermem-db_exporter:latest
@@ -109,10 +90,9 @@ services:
     ports:
       - "8000:8000"
     volumes:
-      - openmemory-data:/data:ro
+      # Mount host openmemory data dir (created by SDK)
+      - ${HOME}/.cybermem/data:/data
     restart: unless-stopped
-    depends_on:
-      - openmemory
 
   log-exporter:
     image: ghcr.io/mikhailkogan17/cybermem-log_exporter:latest
@@ -124,12 +104,11 @@ services:
       DB_PATH: /data/openmemory.sqlite
     volumes:
       - traefik-logs:/var/log/traefik:ro
-      - openmemory-data:/data
+      - ${HOME}/.cybermem/data:/data
       - ./monitoring/log_exporter/exporter.py:/app/exporter.py:ro
     restart: unless-stopped
     depends_on:
       - traefik
-      - openmemory
 
   postgres:
     image: postgres:15-alpine
@@ -200,6 +179,7 @@ services:
     image: ghcr.io/mikhailkogan17/cybermem-dashboard:latest
     container_name: cybermem-dashboard
     environment:
+      DB_EXPORTER_URL: http://db-exporter:8000
       NEXT_PUBLIC_PROMETHEUS_URL: http://prometheus:9090
       PROMETHEUS_URL: http://prometheus:9090
       OM_API_KEY: ${OM_API_KEY:-dev-secret-key}
@@ -209,7 +189,7 @@ services:
     volumes:
       - openmemory-data:/data
       - /var/run/docker.sock:/var/run/docker.sock
-      - ${CYBERMEM_ENV_PATH}:/app/shared.env
+      - ${CYBERMEM_ENV_PATH:-${HOME}/.cybermem/.env}:/app/shared.env
     labels:
       - traefik.enable=true
       # Dashboard route: /cybermem -> dashboard on port 3000
@@ -221,6 +201,7 @@ services:
     restart: unless-stopped
     depends_on:
       - prometheus
+      - db-exporter
 
 volumes:
   openmemory-data:

package/templates/monitoring/db_exporter/exporter.py

@@ -78,10 +78,19 @@ success_rate_aggregate = Gauge(
 )
 
 
-def get_db_connection():
-    """Get SQLite database connection."""
+def get_db_connection(readonly=True):
+    """Get SQLite database connection.
+
+    For WAL mode databases, we need read-write access to perform checkpoint
+    and see the latest data.
+    """
     try:
-        conn = sqlite3.connect(DB_PATH)
+        if readonly:
+            # Read-only mode for metrics queries
+            conn = sqlite3.connect(f"file:{DB_PATH}?mode=ro", uri=True, timeout=10.0)
+        else:
+            # Read-write mode for checkpoint operations
+            conn = sqlite3.connect(DB_PATH, timeout=10.0)
         conn.row_factory = sqlite3.Row
         return conn
     except Exception as e:
@@ -89,6 +98,19 @@ def get_db_connection():
         raise
 
 
+def do_wal_checkpoint():
+    """Perform WAL checkpoint to flush data to main database file."""
+    try:
+        conn = get_db_connection(readonly=False)
+        result = conn.execute("PRAGMA wal_checkpoint(PASSIVE)").fetchone()
+        conn.close()
+        logger.debug(f"WAL checkpoint result: {result}")
+        return True
+    except Exception as e:
+        logger.warning(f"WAL checkpoint failed (read-only volume?): {e}")
+        return False
+
+
 def collect_metrics():
     """Collect all metrics from OpenMemory database."""
     try:
@@ -280,6 +302,19 @@ def metrics():
     return Response(generate_latest(), mimetype=CONTENT_TYPE_LATEST)
 
 
+@app.route("/health")
+def health():
+    """Health check endpoint for dashboard"""
+    try:
+        db = get_db_connection()
+        cursor = db.cursor()
+        cursor.execute("SELECT 1")
+        db.close()
+        return jsonify({"status": "ok", "db": "connected"})
+    except Exception as e:
+        return jsonify({"status": "error", "error": str(e)}), 503
+
+
 @app.route("/api/logs")
 def api_logs():
     """Access logs API endpoint"""
@@ -401,88 +436,92 @@ def api_stats():
 
 @app.route("/api/timeseries")
 def api_timeseries():
-    """Time series data for dashboard charts - bucketed by hour"""
+    """Time series data for dashboard charts - cumulative totals with exact timestamps"""
     try:
         period = request.args.get("period", "24h")
 
-        # Parse period to milliseconds
+        # Parse period to seconds
         period_map = {"1h": 3600, "24h": 86400, "7d": 604800, "30d": 2592000}
         period_seconds = period_map.get(period, 86400)
         start_ms = int((time.time() - period_seconds) * 1000)
-
-        # Bucket size: 1h for 24h, 6h for 7d, 1d for 30d
-        if period in ["1h", "24h"]:
-            bucket_format = "%Y-%m-%d %H:00"
-            bucket_seconds = 3600
-        elif period == "7d":
-            bucket_format = "%Y-%m-%d %H:00"
-            bucket_seconds = 21600  # 6 hours
-        else:
-            bucket_format = "%Y-%m-%d"
-            bucket_seconds = 86400
+        now_ms = int(time.time() * 1000)
 
         db = get_db_connection()
         cursor = db.cursor()
 
-        # Get operations grouped by time bucket and client
+        # Get all events in the period, ordered by timestamp
         cursor.execute(
             """
             SELECT
-                datetime(timestamp/1000, 'unixepoch', 'localtime') as dt,
+                timestamp,
                 client_name,
-                operation,
-                COUNT(*) as count
+                operation
             FROM cybermem_access_log
             WHERE timestamp >= ?
-            GROUP BY strftime(?, datetime(timestamp/1000, 'unixepoch', 'localtime')), client_name, operation
-            ORDER BY dt
+            ORDER BY timestamp ASC
         """,
-            [start_ms, bucket_format],
+            [start_ms],
         )
 
-        # Organize by operation type
-        creates = {}
-        reads = {}
-        updates = {}
-        deletes = {}
+        rows = cursor.fetchall()
+        db.close()
 
-        for row in cursor.fetchall():
-            dt = row["dt"]
+        # Map operations to chart categories
+        def get_op_key(op):
+            if op == "create":
+                return "creates"
+            if op in ["read", "list", "query", "search", "other"]:
+                return "reads"
+            if op == "update":
+                return "updates"
+            if op == "delete":
+                return "deletes"
+            return None
+
+        # Build cumulative data structures
+        # Each chart will have list of {time, client1: cumulative_count, client2: cumulative_count, ...}
+        results = {"creates": [], "reads": [], "updates": [], "deletes": []}
+
+        # Track running totals per client per operation type
+        running_totals = {"creates": {}, "reads": {}, "updates": {}, "deletes": {}}
+
+        # Add initial zero point at period start
+        start_ts = start_ms // 1000
+        for op_key in results:
+            results[op_key].append({"time": start_ts})
+
+        # Process each event and build cumulative series
+        for row in rows:
+            ts = row["timestamp"] // 1000  # Convert to seconds
             client = row["client_name"] or "unknown"
             op = row["operation"]
-            count = row["count"]
+            op_key = get_op_key(op)
 
-            # Round to bucket
-            ts = int(time.mktime(time.strptime(dt, "%Y-%m-%d %H:%M:%S")))
-            bucket_ts = (ts // bucket_seconds) * bucket_seconds
+            if not op_key:
+                continue
 
-            if op == "create":
-                if bucket_ts not in creates:
-                    creates[bucket_ts] = {"time": bucket_ts}
-                creates[bucket_ts][client] = creates[bucket_ts].get(client, 0) + count
-            elif op in ["read", "list", "query", "search", "other"]:
-                if bucket_ts not in reads:
-                    reads[bucket_ts] = {"time": bucket_ts}
-                reads[bucket_ts][client] = reads[bucket_ts].get(client, 0) + count
-            elif op == "update":
-                if bucket_ts not in updates:
-                    updates[bucket_ts] = {"time": bucket_ts}
-                updates[bucket_ts][client] = updates[bucket_ts].get(client, 0) + count
-            elif op == "delete":
-                if bucket_ts not in deletes:
-                    deletes[bucket_ts] = {"time": bucket_ts}
-                deletes[bucket_ts][client] = deletes[bucket_ts].get(client, 0) + count
+            # Increment running total for this client
+            if client not in running_totals[op_key]:
+                running_totals[op_key][client] = 0
+            running_totals[op_key][client] += 1
 
-        db.close()
+            # Create a data point with current cumulative state
+            point = {"time": ts}
+            for c, count in running_totals[op_key].items():
+                point[c] = count
 
-        return jsonify(
-            {
-                "creates": list(creates.values()),
-                "reads": list(reads.values()),
-                "updates": list(updates.values()),
-                "deletes": list(deletes.values()),
-            }
-        )
+            results[op_key].append(point)
+
+        # Add final point at "now" with same totals
+        now_ts = now_ms // 1000
+        for op_key in results:
+            if running_totals[op_key]:
+                final_point = {"time": now_ts}
+                for c, count in running_totals[op_key].items():
+                    final_point[c] = count
+                results[op_key].append(final_point)
+
+        return jsonify(results)
     except Exception as e:
         logger.error(f"Error in /api/timeseries: {e}", exc_info=True)
         return jsonify({"error": str(e)}), 500
@@ -493,6 +532,8 @@ def metrics_collection_loop():
     logger.info("Starting metrics collection loop")
     while True:
         try:
+            # Checkpoint WAL to ensure we see latest data
+            do_wal_checkpoint()
             collect_metrics()
             time.sleep(SCRAPE_INTERVAL)
         except Exception as e:

package/templates/openmemory/Dockerfile

@@ -1,19 +0,0 @@
-# OpenMemory using official npm package
-FROM node:20-alpine
-
-WORKDIR /app
-
-# Install openmemory-js from npm (waiting for release with MCP fix)
-RUN npm install openmemory-js@1.3.2
-
-# Create data directory
-RUN mkdir -p /data && chown -R node:node /data /app
-
-USER node
-
-EXPOSE 8080
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
-  CMD node -e "require('http').get('http://localhost:8080/health', (res) => process.exit(res.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))"
-
-CMD ["npm", "start", "--prefix", "/app/node_modules/openmemory-js"]