npm - kongbrain - Versions diffs - 0.3.3 → 0.3.5 - Mend

kongbrain 0.3.3 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.clawhubignore ADDED Viewed

@@ -0,0 +1,24 @@
+# Binary assets (not text-based, rejected by clawhub)
+*.png
+*.jpg
+*.jpeg
+*.gif
+# Dev tooling
+.claude/
+test/
+vitest.config.ts
+*.test.ts
+# Build/deps
+node_modules/
+dist/
+package-lock.json
+# Secrets/runtime
+.env
+.env.*
+.kongbrain-handoff.json
+# Internal docs
+UPSTREAM-PROPOSALS.md

package/README.md CHANGED Viewed

@@ -5,6 +5,7 @@
 ![KongBrain](KongClaw.png)
 [![npm](https://img.shields.io/npm/v/kongbrain?style=for-the-badge&logo=npm&color=cb3837)](https://www.npmjs.com/package/kongbrain)
+[![ClawHub](https://img.shields.io/badge/ClawHub-kongbrain-ff6b35?style=for-the-badge)](https://clawhub.ai/packages/kongbrain)
 [![GitHub Stars](https://img.shields.io/github/stars/42U/kongbrain?style=for-the-badge&logo=github&color=gold)](https://github.com/42U/kongbrain)
 [![License: MIT](https://img.shields.io/github/license/42U/kongbrain?style=for-the-badge&logo=opensourceinitiative&color=blue)](https://opensource.org/licenses/MIT)
 [![Node.js](https://img.shields.io/badge/Node.js-20+-339933?style=for-the-badge&logo=node.js&logoColor=white)](https://nodejs.org)
@@ -47,29 +48,46 @@ npm install -g openclaw
 ### 2. Start SurrealDB
-Pick one:
+Install SurrealDB via your platform's package manager (see [surrealdb.com/install](https://surrealdb.com/docs/surrealdb/installation)):
 ```bash
-# Native install
+# macOS
+brew install surrealdb/tap/surreal
+# Linux (Debian/Ubuntu)
 curl -sSf https://install.surrealdb.com | sh
 export PATH="$HOME/.surrealdb:$PATH"
-surreal start --user root --pass root --bind 0.0.0.0:8042 surrealkv:~/.kongbrain/surreal.db
 ```
+Then start it locally — **change the credentials before use**:
 ```bash
-# Docker
-docker run -d --name surrealdb -p 8042:8000 \
+surreal start --user youruser --pass yourpass --bind 127.0.0.1:8042 surrealkv:~/.kongbrain/surreal.db
+```
+Or with Docker:
+```bash
+docker run -d --name surrealdb -p 127.0.0.1:8042:8000 \
   -v ~/.kongbrain/surreal-data:/data \
   surrealdb/surrealdb:latest start \
-  --user root --pass root surrealkv:/data/surreal.db
+  --user youruser --pass yourpass surrealkv:/data/surreal.db
 ```
+> **Security note:** Always bind to `127.0.0.1` (not `0.0.0.0`) unless you need remote access. Never use default credentials in production.
 ### 3. Install KongBrain
 ```bash
+# From ClawHub (recommended)
+openclaw plugins install clawhub:kongbrain
+# From npm (fallback)
 openclaw plugins install kongbrain
 ```
+> **Note:** Bare `openclaw plugins install kongbrain` checks ClawHub first, then falls back to npm. Use the `clawhub:` prefix to install from ClawHub explicitly.
 ### 4. Activate
 Add to your OpenClaw config (`~/.openclaw/openclaw.json`):
@@ -93,7 +111,7 @@ openclaw tui
 That's it. KongBrain uses whatever LLM provider and model you already have configured in OpenClaw (Anthropic, OpenAI, Google, Ollama, whatever). No separate API keys needed for the brain itself.
-The BGE-M3 embedding model (~420MB) downloads automatically on first startup. All database tables and indexes are created automatically on first run. No manual setup required.
+The BGE-M3 embedding model (~420MB) downloads automatically on first startup from [Hugging Face](https://huggingface.co/BAAI/bge-m3). All database tables and indexes are created automatically on first run. No manual setup required.
 <details>
 <summary><strong>Configuration Options</strong></summary>
@@ -102,9 +120,9 @@ All options have sensible defaults. Override via plugin config or environment va
 | Option | Env Var | Default |
 |--------|---------|---------|
-| `surreal.url` | `SURREAL_URL` | `ws://localhost:8042/rpc` |
-| `surreal.user` | `SURREAL_USER` | `root` |
-| `surreal.pass` | `SURREAL_PASS` | `root` |
+| `surreal.url` | `SURREAL_URL` | `ws://127.0.0.1:8042/rpc` |
+| `surreal.user` | `SURREAL_USER` | (required) |
+| `surreal.pass` | `SURREAL_PASS` | (required) |
 | `surreal.ns` | `SURREAL_NS` | `kong` |
 | `surreal.db` | `SURREAL_DB` | `memory` |
 | `embedding.modelPath` | `KONGBRAIN_EMBEDDING_MODEL` | Auto-downloaded BGE-M3 Q4_K_M |
@@ -123,9 +141,9 @@ Full config example:
       "kongbrain": {
         "config": {
           "surreal": {
-            "url": "ws://localhost:8042/rpc",
-            "user": "root",
-            "pass": "root",
+            "url": "ws://127.0.0.1:8042/rpc",
+            "user": "youruser",
+            "pass": "yourpass",
             "ns": "kong",
             "db": "memory"
           }

package/SKILL.md ADDED Viewed

@@ -0,0 +1,110 @@
+---
+name: kongbrain
+description: Graph-backed persistent memory engine for OpenClaw. Replaces the default context window with SurrealDB + vector embeddings that learn across sessions.
+version: 0.3.5
+homepage: https://github.com/42U/kongbrain
+metadata:
+  openclaw:
+    requires:
+      bins:
+        - surreal
+      env:
+        - SURREAL_URL
+        - SURREAL_USER
+        - SURREAL_PASS
+        - SURREAL_NS
+        - SURREAL_DB
+    primaryEnv: SURREAL_URL
+    install:
+      - kind: node
+        package: kongbrain
+        bins: []
+---
+# KongBrain
+Graph-backed persistent memory engine for OpenClaw. Replaces the default context window with SurrealDB + vector embeddings that learn across sessions.
+## What it does
+KongBrain gives your OpenClaw agent persistent, structured memory:
+- **Session tracking** - records conversations and extracts knowledge automatically
+- **9 memory categories** - knowledge, goals, reflections, handoffs, corrections, preferences, decisions, skills, and causal chains
+- **Vector search** - BGE-M3 embeddings for semantic recall
+- **Graph relationships** - memories linked via SurrealDB graph edges for traversal
+- **Tiered memory** - core memories always loaded, session memories pinned, rest searched on demand
+- **Mid-session extraction** - extracts knowledge during conversation, not just at exit
+- **Crash resilience** - deferred cleanup processes orphaned sessions on next startup
+## Requirements
+- **SurrealDB** - running instance (local or remote)
+- **Node.js** >= 18
+## Setup
+### Install SurrealDB
+See the official install guide: https://surrealdb.com/docs/surrealdb/installation
+Platform packages:
+```bash
+# macOS
+brew install surrealdb/tap/surreal
+# Linux (Debian/Ubuntu)
+curl -sSf https://install.surrealdb.com | sh
+# Docker
+docker pull surrealdb/surrealdb:latest
+```
+### Start SurrealDB
+```bash
+# Local only (recommended) - use strong credentials in production
+surreal start --user youruser --pass yourpass --bind 127.0.0.1:8000 surrealkv:~/.kongbrain/surreal.db
+```
+> **Security note:** Always bind to `127.0.0.1` (not `0.0.0.0`) unless you specifically need remote access. Change the default credentials before use.
+For Docker:
+```bash
+docker run -d --name surrealdb -p 127.0.0.1:8000:8000 \
+  -v ~/.kongbrain/surreal-data:/data \
+  surrealdb/surrealdb:latest start \
+  --user youruser --pass yourpass surrealkv:/data/surreal.db
+```
+## Configuration
+Set environment variables or provide a `.env` file:
+```
+SURREAL_URL=ws://127.0.0.1:8000/rpc
+SURREAL_USER=youruser
+SURREAL_PASS=yourpass
+SURREAL_NS=kongbrain
+SURREAL_DB=kongbrain
+```
+## Usage
+Install as an OpenClaw plugin:
+```bash
+openclaw plugins install clawhub:kongbrain
+```
+Or via npm:
+```bash
+npm install kongbrain
+```
+The BGE-M3 embedding model (~420MB) downloads automatically on first startup from Hugging Face (https://huggingface.co/BAAI/bge-m3). All database tables and indexes are created automatically on first run.
+KongBrain hooks into OpenClaw's plugin lifecycle automatically. Memory extraction runs in the background via a daemon worker thread.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "kongbrain",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "Graph-backed persistent memory engine for OpenClaw. Replaces the default context window with SurrealDB + vector embeddings that learn across sessions.",
   "type": "module",
   "license": "MIT",
@@ -30,6 +30,14 @@
     ],
     "install": {
       "minHostVersion": ">=2026.3.23"
+    },
+    "compat": {
+      "pluginApi": ">=2026.3.23",
+      "minGatewayVersion": "2026.3.23"
+    },
+    "build": {
+      "openclawVersion": "2026.3.23",
+      "pluginSdkVersion": "2026.3.23"
     }
   },
   "scripts": {

package/src/deferred-cleanup.ts CHANGED Viewed

@@ -129,6 +129,11 @@ async function processOrphanedSession(
           result = JSON.parse(jsonMatch[0].replace(/,\s*([}\]])/g, "$1"));
         } catch { result = {}; }
       }
+      // Strip prototype pollution keys from LLM-generated JSON
+      const BANNED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+      for (const key of Object.keys(result)) {
+        if (BANNED_KEYS.has(key)) delete (result as any)[key];
+      }
       const keys = Object.keys(result);
       console.warn(`[deferred] parsed ${keys.length} keys: ${keys.join(", ")}`);

package/src/handoff-file.ts CHANGED Viewed

@@ -6,7 +6,7 @@
  * so the next session's wakeup has context even before deferred
  * extraction runs.
  */
-import { readFileSync, writeFileSync, unlinkSync, existsSync } from "node:fs";
+import { readFileSync, writeFileSync, unlinkSync, existsSync, chmodSync } from "node:fs";
 import { join } from "node:path";
 const HANDOFF_FILENAME = ".kongbrain-handoff.json";
@@ -29,7 +29,7 @@ export function writeHandoffFileSync(
 ): void {
   try {
     const path = join(workspaceDir, HANDOFF_FILENAME);
-    writeFileSync(path, JSON.stringify(data, null, 2), "utf-8");
+    writeFileSync(path, JSON.stringify(data, null, 2), { encoding: "utf-8", mode: 0o600 });
   } catch {
     // Best-effort — sync exit handler, can't log async
   }
@@ -46,7 +46,19 @@ export function readAndDeleteHandoffFile(
   try {
     const raw = readFileSync(path, "utf-8");
     unlinkSync(path);
-    return JSON.parse(raw) as HandoffFileData;
+    const parsed = JSON.parse(raw);
+    // Runtime validation — reject prototype pollution and malformed data
+    if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+    if ("__proto__" in parsed || "constructor" in parsed) return null;
+    const data: HandoffFileData = {
+      sessionId: typeof parsed.sessionId === "string" ? parsed.sessionId.slice(0, 200) : "",
+      timestamp: typeof parsed.timestamp === "string" ? parsed.timestamp.slice(0, 50) : "",
+      userTurnCount: typeof parsed.userTurnCount === "number" ? parsed.userTurnCount : 0,
+      lastUserText: typeof parsed.lastUserText === "string" ? parsed.lastUserText.slice(0, 500) : "",
+      lastAssistantText: typeof parsed.lastAssistantText === "string" ? parsed.lastAssistantText.slice(0, 500) : "",
+      unextractedTokens: typeof parsed.unextractedTokens === "number" ? parsed.unextractedTokens : 0,
+    };
+    return data;
   } catch {
     // Corrupted or deleted between check and read
     try { unlinkSync(path); } catch { /* ignore */ }