@joshuaswarren/openclaw-engram 9.2.6 → 9.2.7

package/dist/index.js

@@ -6948,7 +6948,7 @@ var GraphDashboardServer = class {
 
 // src/access-http.ts
 import { createServer as createServer3 } from "http";
-import { randomUUID, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { randomUUID as randomUUID2, timingSafeEqual as timingSafeEqual2 } from "crypto";
 import { AsyncLocalStorage } from "async_hooks";
 import { existsSync } from "fs";
 import { readFile as readFile14 } from "fs/promises";
@@ -6957,6 +6957,7 @@ import { fileURLToPath, URL as URL3 } from "url";
 
 // src/access-mcp.ts
 import { readFile as readFile13 } from "fs/promises";
+import { randomUUID } from "crypto";
 var MCP_PROTOCOL_VERSION = "2024-11-05";
 async function getMcpServerVersion() {
   const envVersion = readEnvVar("OPENCLAW_ENGRAM_VERSION")?.trim() || readEnvVar("npm_package_version")?.trim();
@@ -7611,6 +7612,33 @@ var EngramMcpServer = class {
   flushTask = null;
   tools;
   authenticatedPrincipal;
+  /**
+   * MCP client info keyed by server-assigned session ID. On each `initialize`
+   * handshake the server generates a UUID, stores the client's clientInfo
+   * against it, and returns the ID as `Mcp-Session-Id` in the response
+   * metadata. Subsequent requests from the same client include this header,
+   * allowing per-session clientInfo lookup without cross-session leaks.
+   */
+  clientInfoBySession = /* @__PURE__ */ new Map();
+  /**
+   * Session IDs generated during initialize, keyed by caller-supplied correlation
+   * ID (unique per HTTP request) to avoid collisions when multiple clients send
+   * initialize with the same JSON-RPC id concurrently.
+   */
+  initSessionIds = /* @__PURE__ */ new Map();
+  /** Get clientInfo for a specific MCP session. Returns undefined for non-MCP requests. */
+  getClientInfo(sessionId) {
+    if (sessionId) {
+      return this.clientInfoBySession.get(sessionId);
+    }
+    return void 0;
+  }
+  /** Pop the session ID generated during an initialize handshake, keyed by correlation ID. */
+  popInitSessionId(correlationId) {
+    const sid = this.initSessionIds.get(correlationId);
+    if (sid !== void 0) this.initSessionIds.delete(correlationId);
+    return sid;
+  }
   async handleRequest(request, options) {
     const id = request.id ?? null;
     const method = request.method ?? "";
@@ -7619,7 +7647,20 @@ var EngramMcpServer = class {
       return { jsonrpc: "2.0", id, result: {} };
     }
     if (method === "initialize") {
+      const params = request.params ?? {};
+      const rawClientInfo = params.clientInfo;
+      const newSessionId = randomUUID();
+      if (rawClientInfo && typeof rawClientInfo.name === "string") {
+        const info = { name: rawClientInfo.name, version: rawClientInfo.version };
+        this.clientInfoBySession.set(newSessionId, info);
+        if (this.clientInfoBySession.size > 1e3) {
+          const firstKey = this.clientInfoBySession.keys().next().value;
+          if (firstKey) this.clientInfoBySession.delete(firstKey);
+        }
+      }
       const version = await getMcpServerVersion();
+      const corrId = options?.correlationId;
+      if (corrId) this.initSessionIds.set(corrId, newSessionId);
       return {
         jsonrpc: "2.0",
         id,
@@ -8240,123 +8281,99 @@ function validateRequest(schemaName, body) {
   return { success: false, error: formatZodError(result.error) };
 }
 
+// src/adapters/types.ts
+function headerValue(headers, key) {
+  const raw = headers[key];
+  const value = Array.isArray(raw) ? raw[0] : raw;
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+
 // src/adapters/claude-code.ts
 var ClaudeCodeAdapter = class {
   id = "claude-code";
   matches(context) {
-    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
-    if (clientName.includes("claude")) return true;
-    const sessionHeader = headerValue(context.headers, "x-claude-session-id");
-    if (sessionHeader) return true;
+    if (context.clientInfo?.name === "claude-code") return true;
+    const ua = headerValue(context.headers, "user-agent");
+    if (ua && ua.toLowerCase().startsWith("claude-code/")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "claude-code") return true;
     return false;
   }
   resolveIdentity(context) {
-    const sessionId = headerValue(context.headers, "x-claude-session-id");
-    const projectPath = headerValue(context.headers, "x-claude-project-path");
-    const namespace = projectPath ? slugify(projectPath) : "claude-code";
-    const principal = headerValue(context.headers, "x-engram-principal") || context.clientInfo?.name || "claude-code";
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "claude-code";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "claude-code";
     return {
       namespace,
       principal,
-      sessionKey: sessionId ?? context.sessionKey,
+      sessionKey: mcpSessionId ?? context.sessionKey,
       adapterId: this.id
     };
   }
 };
-function headerValue(headers, key) {
-  const raw = headers[key];
-  const value = Array.isArray(raw) ? raw[0] : raw;
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
-}
-function slugify(s) {
-  let slug = s.toLowerCase().replace(/[^a-z0-9]+/g, "-");
-  let start = 0;
-  while (start < slug.length && slug[start] === "-") start++;
-  let end = slug.length;
-  while (end > start && slug[end - 1] === "-") end--;
-  return slug.slice(start, end).slice(0, 80) || "claude-code";
-}
 
 // src/adapters/codex.ts
 var CodexAdapter = class {
   id = "codex";
   matches(context) {
+    if (context.clientInfo?.name === "codex-mcp-client") return true;
     const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
-    if (clientName.includes("codex")) return true;
-    const agentHeader = headerValue2(context.headers, "x-codex-agent-name");
-    if (agentHeader) return true;
+    if (clientName.includes("codex") && clientName !== "codex-mcp-client") return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "codex") return true;
     return false;
   }
   resolveIdentity(context) {
-    const agentName = headerValue2(context.headers, "x-codex-agent-name");
-    const projectDir = headerValue2(context.headers, "x-codex-project-dir");
-    const namespace = projectDir ? slugify2(projectDir) : "codex";
-    const principal = headerValue2(context.headers, "x-engram-principal") || agentName || context.clientInfo?.name || "codex";
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "codex";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "codex";
     return {
       namespace,
       principal,
-      sessionKey: context.sessionKey,
+      sessionKey: mcpSessionId ?? context.sessionKey,
       adapterId: this.id
     };
   }
 };
-function headerValue2(headers, key) {
-  const raw = headers[key];
-  const value = Array.isArray(raw) ? raw[0] : raw;
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
-}
-function slugify2(s) {
-  let slug = s.toLowerCase().replace(/[^a-z0-9]+/g, "-");
-  let start = 0;
-  while (start < slug.length && slug[start] === "-") start++;
-  let end = slug.length;
-  while (end > start && slug[end - 1] === "-") end--;
-  return slug.slice(start, end).slice(0, 80) || "codex";
-}
 
 // src/adapters/replit.ts
 var ReplitAdapter = class {
   id = "replit";
   matches(context) {
-    if (headerValue3(context.headers, "x-replit-project-id")) return true;
-    if (headerValue3(context.headers, "x-replit-user-id")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "replit") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("replit")) return true;
     return false;
   }
   resolveIdentity(context) {
-    const projectId = headerValue3(context.headers, "x-replit-project-id");
-    const userId = headerValue3(context.headers, "x-replit-user-id");
-    const namespace = projectId ? `replit-${sanitizeId(projectId)}` : "replit";
-    const principal = headerValue3(context.headers, "x-engram-principal") || (userId ? `replit-user-${sanitizeId(userId)}` : "replit-agent");
+    const mcpSessionId = headerValue(context.headers, "mcp-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "replit-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "replit";
     return {
       namespace,
       principal,
-      sessionKey: context.sessionKey,
+      sessionKey: mcpSessionId ?? context.sessionKey,
       adapterId: this.id
     };
   }
 };
-function headerValue3(headers, key) {
-  const raw = headers[key];
-  const value = Array.isArray(raw) ? raw[0] : raw;
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
-}
-function sanitizeId(s) {
-  return s.replace(/[^a-zA-Z0-9_-]/g, "").slice(0, 64);
-}
 
 // src/adapters/hermes.ts
 var HermesAdapter = class {
   id = "hermes";
   matches(context) {
-    if (headerValue4(context.headers, "x-hermes-session-id")) return true;
-    if (headerValue4(context.headers, "x-hermes-profile")) return true;
+    if (headerValue(context.headers, "x-hermes-session-id")) return true;
+    const clientId = headerValue(context.headers, "x-engram-client-id");
+    if (clientId?.toLowerCase() === "hermes") return true;
+    const clientName = context.clientInfo?.name?.toLowerCase() ?? "";
+    if (clientName.includes("hermes")) return true;
     return false;
   }
   resolveIdentity(context) {
-    const sessionId = headerValue4(context.headers, "x-hermes-session-id");
-    const profile = headerValue4(context.headers, "x-hermes-profile");
-    const namespace = profile ? slugify3(profile) : "hermes";
-    const principal = headerValue4(context.headers, "x-engram-principal") || profile || "hermes-agent";
+    const sessionId = headerValue(context.headers, "x-hermes-session-id");
+    const principal = headerValue(context.headers, "x-engram-principal") || "hermes-agent";
+    const namespace = headerValue(context.headers, "x-engram-namespace") || "hermes";
     return {
       namespace,
       principal,
@@ -8365,19 +8382,6 @@ var HermesAdapter = class {
     };
   }
 };
-function headerValue4(headers, key) {
-  const raw = headers[key];
-  const value = Array.isArray(raw) ? raw[0] : raw;
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
-}
-function slugify3(s) {
-  let slug = s.toLowerCase().replace(/[^a-z0-9]+/g, "-");
-  let start = 0;
-  while (start < slug.length && slug[start] === "-") start++;
-  let end = slug.length;
-  while (end > start && slug[end - 1] === "-") end--;
-  return slug.slice(start, end).slice(0, 80) || "hermes";
-}
 
 // src/adapters/registry.ts
 var AdapterRegistry = class {
@@ -8494,7 +8498,7 @@ var EngramAccessHttpServer = class {
     }
     if (this.server) return this.status();
     const server = createServer3((req, res) => {
-      const correlationId = randomUUID();
+      const correlationId = randomUUID2();
       correlationIdStore.run(correlationId, () => {
         void this.handle(req, res, correlationId).catch((err) => {
           log.debug(`engram access HTTP request failed [${correlationId}]: ${err}`);
@@ -8558,30 +8562,60 @@ var EngramAccessHttpServer = class {
   }
   /**
    * Resolve the adapter identity for the incoming request.
+   * Includes MCP clientInfo from the last initialize handshake if available.
    * Returns null if no adapter matches or adapters are disabled.
    */
   resolveAdapterIdentity(req) {
     if (!this.adapterRegistry) return null;
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
     return this.adapterRegistry.resolve({
-      headers: req.headers
+      headers: req.headers,
+      clientInfo: this.mcpServer.getClientInfo(sessionId)
     });
   }
-  resolveRequestPrincipal(req) {
+  /** Cache for per-request identity resolution (avoids double adapter resolution) */
+  identityCache = /* @__PURE__ */ new WeakMap();
+  /** Resolve principal and namespace from request headers and adapter identity */
+  resolveRequestIdentity(req) {
+    const cached = this.identityCache.get(req);
+    if (cached) return cached;
+    let principal;
+    let namespace;
     if (this.trustPrincipalHeader) {
-      const headerValue5 = req.headers["x-engram-principal"];
-      const raw = Array.isArray(headerValue5) ? headerValue5[0] : headerValue5;
+      const headerVal = req.headers["x-engram-principal"];
+      const raw = Array.isArray(headerVal) ? headerVal[0] : headerVal;
       if (typeof raw === "string") {
         const trimmed = raw.trim();
         if (trimmed.length > 0) {
-          return trimmed;
+          principal = trimmed;
         }
       }
     }
     const adapterIdentity = this.resolveAdapterIdentity(req);
     if (adapterIdentity) {
-      return adapterIdentity.principal;
+      if (!principal) {
+        principal = adapterIdentity.principal;
+      }
+      namespace = adapterIdentity.namespace;
     }
-    return this.authenticatedPrincipal;
+    if (!principal) {
+      principal = this.authenticatedPrincipal;
+    }
+    const result = { principal, namespace };
+    this.identityCache.set(req, result);
+    return result;
+  }
+  resolveRequestPrincipal(req) {
+    return this.resolveRequestIdentity(req).principal;
+  }
+  /** Resolve namespace: only use the explicit body value. Adapter-inferred namespace
+   *  is intentionally NOT used as a fallback for REST requests — omitting namespace
+   *  should default to the server's global namespace, not silently scope to an adapter. */
+  resolveNamespace(_req, bodyNamespace) {
+    return bodyNamespace || void 0;
   }
   async handle(req, res, correlationId) {
     const parsed = new URL3(req.url ?? "/", `http://${hostToUrlAuthority2(this.host)}`);
@@ -8621,7 +8655,7 @@ var EngramAccessHttpServer = class {
       const response = await this.service.recall({
         query: body.query ?? "",
         sessionKey: body.sessionKey,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         topK: body.topK,
         mode: body.mode,
         includeDebug: body.includeDebug === true
@@ -8633,7 +8667,7 @@ var EngramAccessHttpServer = class {
       const body = await this.readValidatedBody(req, "recallExplain");
       const response = await this.service.recallExplain({
         sessionKey: body.sessionKey,
-        namespace: body.namespace
+        namespace: this.resolveNamespace(req, body.namespace)
       });
       this.respondJson(res, 200, response);
       return;
@@ -8644,7 +8678,7 @@ var EngramAccessHttpServer = class {
       const response = await this.service.observe({
         sessionKey: body.sessionKey,
         messages: body.messages,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req),
         skipExtraction: body.skipExtraction === true
       });
@@ -8657,7 +8691,7 @@ var EngramAccessHttpServer = class {
       const response = await this.service.lcmSearch({
         query: body.query,
         sessionKey: body.sessionKey,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req),
         limit: body.limit
       });
@@ -8679,7 +8713,7 @@ var EngramAccessHttpServer = class {
         content: body.content,
         category: body.category,
         confidence: body.confidence,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         tags: body.tags,
         entityRef: body.entityRef,
         ttl: body.ttl,
@@ -8707,7 +8741,7 @@ var EngramAccessHttpServer = class {
         content: body.content,
         category: body.category,
         confidence: body.confidence,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         tags: body.tags,
         entityRef: body.entityRef,
         ttl: body.ttl,
@@ -8826,7 +8860,7 @@ var EngramAccessHttpServer = class {
         memoryId: body.memoryId,
         status: body.status,
         reasonCode: body.reasonCode,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8848,7 +8882,7 @@ var EngramAccessHttpServer = class {
         recordedAt: body.recordedAt,
         summary: body.summary,
         dryRun,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8867,7 +8901,7 @@ var EngramAccessHttpServer = class {
         scenario: body.scenario,
         recordedAt: body.recordedAt,
         dryRun,
-        namespace: body.namespace,
+        namespace: this.resolveNamespace(req, body.namespace),
         authenticatedPrincipal: this.resolveRequestPrincipal(req)
       });
       if (this.shouldCountWriteRateLimit(response)) {
@@ -8885,8 +8919,15 @@ var EngramAccessHttpServer = class {
     if (isMcpWrite) {
       this.ensureWriteRateLimitAvailable();
     }
+    const sessionId = (() => {
+      const raw = req.headers["mcp-session-id"];
+      return typeof raw === "string" ? raw.trim() : void 0;
+    })();
+    const mcpCorrelationId = correlationIdStore.getStore() ?? randomUUID2();
     const response = await this.mcpServer.handleRequest(request, {
-      principalOverride: this.resolveRequestPrincipal(req)
+      principalOverride: this.resolveRequestPrincipal(req),
+      sessionId,
+      correlationId: mcpCorrelationId
     });
     if (isMcpWrite && response !== null) {
       const result = response.result;
@@ -8901,6 +8942,10 @@ var EngramAccessHttpServer = class {
       res.end();
       return;
     }
+    const assignedSessionId = this.mcpServer.popInitSessionId(mcpCorrelationId);
+    if (assignedSessionId) {
+      res.setHeader("mcp-session-id", assignedSessionId);
+    }
     this.respondJson(res, 200, response);
   }
   respondJson(res, status, payload) {