@joshuaswarren/openclaw-engram 9.2.5 → 9.2.7

package/dist/index.js

@@ -6948,7 +6948,7 @@ var GraphDashboardServer = class {
 
 // src/access-http.ts
 import { createServer as createServer3 } from "http";
-import { randomUUID, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { randomUUID as randomUUID2, timingSafeEqual as timingSafeEqual2 } from "crypto";
 import { AsyncLocalStorage } from "async_hooks";
 import { existsSync } from "fs";
 import { readFile as readFile14 } from "fs/promises";
@@ -6957,6 +6957,7 @@ import { fileURLToPath, URL as URL3 } from "url";
 
 // src/access-mcp.ts
 import { readFile as readFile13 } from "fs/promises";
+import { randomUUID } from "crypto";
 var MCP_PROTOCOL_VERSION = "2024-11-05";
 async function getMcpServerVersion() {
   const envVersion = readEnvVar("OPENCLAW_ENGRAM_VERSION")?.trim() || readEnvVar("npm_package_version")?.trim();
@@ -7611,6 +7612,33 @@ var EngramMcpServer = class {
   flushTask = null;
   tools;
   authenticatedPrincipal;
+  /**
+   * MCP client info keyed by server-assigned session ID. On each `initialize`
+   * handshake the server generates a UUID, stores the client's clientInfo
+   * against it, and returns the ID as `Mcp-Session-Id` in the response
+   * metadata. Subsequent requests from the same client include this header,
+   * allowing per-session clientInfo lookup without cross-session leaks.
+   */
+  clientInfoBySession = /* @__PURE__ */ new Map();
+  /**
+   * Session IDs generated during initialize, keyed by caller-supplied correlation
+   * ID (unique per HTTP request) to avoid collisions when multiple clients send
+   * initialize with the same JSON-RPC id concurrently.
+   */
+  initSessionIds = /* @__PURE__ */ new Map();
+  /** Get clientInfo for a specific MCP session. Returns undefined for non-MCP requests. */
+  getClientInfo(sessionId) {
+    if (sessionId) {
+      return this.clientInfoBySession.get(sessionId);
+    }
+    return void 0;
+  }
+  /** Pop the session ID generated during an initialize handshake, keyed by correlation ID. */
+  popInitSessionId(correlationId) {
+    const sid = this.initSessionIds.get(correlationId);
+    if (sid !== void 0) this.initSessionIds.delete(correlationId);
+    return sid;
+  }
   async handleRequest(request, options) {
     const id = request.id ?? null;
     const method = request.method ?? "";
@@ -7619,7 +7647,20 @@ var EngramMcpServer = class {
       return { jsonrpc: "2.0", id, result: {} };
     }
     if (method === "initialize") {
+      const params = request.params ?? {};
+      const rawClientInfo = params.clientInfo;
+      const newSessionId = randomUUID();
+      if (rawClientInfo && typeof rawClientInfo.name === "string") {
+        const info = { name: rawClientInfo.name, version: rawClientInfo.version };
+        this.clientInfoBySession.set(newSessionId, info);
+        if (this.clientInfoBySession.size > 1e3) {
+          const firstKey = this.clientInfoBySession.keys().next().value;
+          if (firstKey) this.clientInfoBySession.delete(firstKey);
+        }
+      }
       const version = await getMcpServerVersion();
+      const corrId = options?.correlationId;
+      if (corrId) this.initSessionIds.set(corrId, newSessionId);
       return {
         jsonrpc: "2.0",
         id,
@@ -8240,6 +8281,137 @@ function validateRequest(schemaName, body) {
   return { success: false, error: formatZodError(result.error) };
 }
 
+// src/adapters/types.ts
+function headerValue(headers, key) {
+  const raw = headers[key];
+  const value = Array.isArray(raw) ? raw[0] : raw;
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+
+// src/adapters/claude-code.ts
+var ClaudeCodeAdapter = class {
+  id = "claude-code";
+  matches(context) {
+    if (context.clientInfo?.name === "claude-code") return true;
+    const ua = headerValue(context.headers, "user-agent");
+    if (ua && ua.toLowerCase().startsWith("claude-code/")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "claude-code") return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "claude-code";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "claude-code";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/codex.ts
+var CodexAdapter = class {
+  id = "codex";
+  matches(context) {
+    if (context.clientInfo?.name === "codex-mcp-client") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("codex") && clientName !== "codex-mcp-client") return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "codex") return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "codex";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "codex";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/replit.ts
+var ReplitAdapter = class {
+  id = "replit";
+  matches(context) {
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "replit") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("replit")) return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "replit-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "replit";
+    return {
+      namespace,
+      principal,
+      sessionKey: mcpSessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/hermes.ts
+var HermesAdapter = class {
+  id = "hermes";
+  matches(context) {
+    if (headerValue(context.headers, "x-hermes-session-id")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "hermes") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("hermes")) return true;
+    return false;
+  }
+  resolveIdentity(context) {
+    const sessionId = headerValue(context.headers, "x-hermes-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "hermes-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "hermes";
+    return {
+      namespace,
+      principal,
+      sessionKey: sessionId ?? context.sessionKey,
+      adapterId: this.id
+    };
+  }
+};
+
+// src/adapters/registry.ts
+var AdapterRegistry = class {
+  adapters;
+  constructor(adapters) {
+    this.adapters = adapters ?? [
+      new HermesAdapter(),
+      new ReplitAdapter(),
+      new CodexAdapter(),
+      new ClaudeCodeAdapter()
+    ];
+  }
+  /**
+   * Try each adapter in order. Return the first match, or null if
+   * no adapter recognizes the request context.
+   */
+  resolve(context) {
+    for (const adapter of this.adapters) {
+      if (adapter.matches(context)) {
+        return adapter.resolveIdentity(context);
+      }
+    }
+    return null;
+  }
+  /** List registered adapter IDs */
+  list() {
+    return this.adapters.map((a) => a.id);
+  }
+};
+
 // src/access-http.ts
 function resolveDefaultAdminConsolePublicDir() {
   const candidates = [
@@ -8302,6 +8474,7 @@ var EngramAccessHttpServer = class {
   adminConsoleEnabled;
   adminConsolePublicDir;
   trustPrincipalHeader;
+  adapterRegistry;
   writeRequestTimestamps = [];
   mcpServer;
   server = null;
@@ -8316,6 +8489,7 @@ var EngramAccessHttpServer = class {
     this.adminConsoleEnabled = options.adminConsoleEnabled !== false;
     this.adminConsolePublicDir = options.adminConsolePublicDir ?? defaultAdminConsolePublicDir;
     this.trustPrincipalHeader = options.trustPrincipalHeader === true;
+    this.adapterRegistry = options.enableAdapters !== false ? options.adapterRegistry ?? new AdapterRegistry() : null;
     this.mcpServer = new EngramMcpServer(this.service, { principal: options.principal });
   }
   async start() {
@@ -8324,7 +8498,7 @@ var EngramAccessHttpServer = class {
     }
     if (this.server) return this.status();
     const server = createServer3((req, res) => {
-      const correlationId = randomUUID();
+      const correlationId = randomUUID2();
       correlationIdStore.run(correlationId, () => {
         void this.handle(req, res, correlationId).catch((err) => {
           log.debug(`engram access HTTP request failed [${correlationId}]: ${err}`);
@@ -8386,18 +8560,62 @@ var EngramAccessHttpServer = class {
       maxBodyBytes: this.maxBodyBytes
     };
   }
-  resolveRequestPrincipal(req) {
+  /**
+   * Resolve the adapter identity for the incoming request.
+   * Includes MCP clientInfo from the last initialize handshake if available.
+   * Returns null if no adapter matches or adapters are disabled.
+   */
+  resolveAdapterIdentity(req) {
+    if (!this.adapterRegistry) return null;
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
+    return this.adapterRegistry.resolve({
+      headers: req.headers,
+      clientInfo: this.mcpServer.getClientInfo(sessionId)
+    });
+  }
+  /** Cache for per-request identity resolution (avoids double adapter resolution) */
+  identityCache = /* @__PURE__ */ new WeakMap();
+  /** Resolve principal and namespace from request headers and adapter identity */
+  resolveRequestIdentity(req) {
+    const cached = this.identityCache.get(req);
+    if (cached) return cached;
+    let principal;
+    let namespace;
     if (this.trustPrincipalHeader) {
-      const headerValue = req.headers["x-engram-principal"];
-      const raw = Array.isArray(headerValue) ? headerValue[0] : headerValue;
+      const headerVal = req.headers["x-engram-principal"];
+      const raw = Array.isArray(headerVal) ? headerVal[0] : headerVal;
       if (typeof raw === "string") {
         const trimmed = raw.trim();
         if (trimmed.length > 0) {
-          return trimmed;
+          principal = trimmed;
         }
       }
     }
-    return this.authenticatedPrincipal;
+    const adapterIdentity = this.resolveAdapterIdentity(req);
+    if (adapterIdentity) {
+      if (!principal) {
+        principal = adapterIdentity.principal;
+      }
+      namespace = adapterIdentity.namespace;
+    }
+    if (!principal) {
+      principal = this.authenticatedPrincipal;
+    }
+    const result = { principal, namespace };
+    this.identityCache.set(req, result);
+    return result;
+  }
+  resolveRequestPrincipal(req) {
+    return this.resolveRequestIdentity(req).principal;
+  }
+  /** Resolve namespace: only use the explicit body value. Adapter-inferred namespace
+   *  is intentionally NOT used as a fallback for REST requests — omitting namespace
+   *  should default to the server's global namespace, not silently scope to an adapter. */
+  resolveNamespace(_req, bodyNamespace) {
+    return bodyNamespace || void 0;
   }
   async handle(req, res, correlationId) {
     const parsed = new URL3(req.url ?? "/", `http://${hostToUrlAuthority2(this.host)}`);
@@ -8423,12 +8641,21 @@ var EngramAccessHttpServer = class {
       this.respondJson(res, 200, await this.service.health());
       return;
     }
+    if (req.method === "GET" && pathname === "/engram/v1/adapters") {
+      const identity = this.resolveAdapterIdentity(req);
+      this.respondJson(res, 200, {
+        adaptersEnabled: this.adapterRegistry !== null,
+        registered: this.adapterRegistry?.list() ?? [],
+        resolved: identity
+      });
+      return;
+    }
     if (req.method === "POST" && pathname === "/engram/v1/recall") {
       const body = await this.readValidatedBody(req, "recall");
       const response = await this.service.recall({
         query: body.query ?? "",
         sessionKey: body.sessionKey,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         topK: body.topK,
         mode: body.mode,
         includeDebug: body.includeDebug === true
@@ -8440,7 +8667,7 @@ var EngramAccessHttpServer = class {
       const body = await this.readValidatedBody(req, "recallExplain");
       const response = await this.service.recallExplain({
         sessionKey: body.sessionKey,
-        namespace: body.namespace
+        namespace: this.resolveNamespace(req, body.namespace)
       });
       this.respondJson(res, 200, response);
       return;
@@ -8451,7 +8678,7 @@ var EngramAccessHttpServer = class {
       const response = await this.service.observe({
         sessionKey: body.sessionKey,
         messages: body.messages,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req),
         skipExtraction: body.skipExtraction === true
       });
@@ -8464,7 +8691,7 @@ var EngramAccessHttpServer = class {
       const response = await this.service.lcmSearch({
         query: body.query,
         sessionKey: body.sessionKey,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req),
         limit: body.limit
       });
@@ -8486,7 +8713,7 @@ var EngramAccessHttpServer = class {
         content: body.content,
         category: body.category,
         confidence: body.confidence,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         tags: body.tags,
         entityRef: body.entityRef,
         ttl: body.ttl,
@@ -8514,7 +8741,7 @@ var EngramAccessHttpServer = class {
         content: body.content,
         category: body.category,
         confidence: body.confidence,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         tags: body.tags,
         entityRef: body.entityRef,
         ttl: body.ttl,
@@ -8633,7 +8860,7 @@ var EngramAccessHttpServer = class {
         memoryId: body.memoryId,
         status: body.status,
         reasonCode: body.reasonCode,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8655,7 +8882,7 @@ var EngramAccessHttpServer = class {
         recordedAt: body.recordedAt,
         summary: body.summary,
         dryRun,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8674,7 +8901,7 @@ var EngramAccessHttpServer = class {
         scenario: body.scenario,
         recordedAt: body.recordedAt,
         dryRun,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8692,8 +8919,15 @@ var EngramAccessHttpServer = class {
     if (isMcpWrite) {
       this.ensureWriteRateLimitAvailable();
     }
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
+    const mcpCorrelationId = correlationIdStore.getStore() ?? randomUUID2();
     const response = await this.mcpServer.handleRequest(request, {
-      principalOverride: this.resolveRequestPrincipal(req)
+      principalOverride: this.resolveRequestPrincipal(req),
+      sessionId,
+      correlationId: mcpCorrelationId
     });
     if (isMcpWrite && response !== null) {
       const result = response.result;
@@ -8708,6 +8942,10 @@ var EngramAccessHttpServer = class {
       res.end();
       return;
     }
+    const assignedSessionId = this.mcpServer.popInitSessionId(mcpCorrelationId);
+    if (assignedSessionId) {
+      res.setHeader("mcp-session-id", assignedSessionId);
+    }
     this.respondJson(res, 200, response);
   }
   respondJson(res, status, payload) {