npm - limbo-ai - Versions diffs - 1.18.3 → 1.19.0 - Mend

limbo-ai 1.18.3 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +6 -7
package/SECURITY.md +14 -15
package/cli.js +132 -322
package/config.toml.template +52 -0
package/mcp-server/index.js +4 -4
package/package.json +3 -2
package/setup-server/server.js +23 -7
package/test/cli-filter.test.js +5 -2
package/test/zeroclaw-migration.test.js +255 -0

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Limbo
-A personal memory agent. Captures ideas, remembers things, and connects knowledge across time — running quietly in a Docker container, accessible via Telegram or the OpenClaw gateway.
+A personal memory agent. Captures ideas, remembers things, and connects knowledge across time — running quietly in a Docker container, accessible via Telegram or the ZeroClaw gateway.
 ## What it is
@@ -88,9 +88,9 @@ npx limbo-ai start --reconfigure
 Message your bot and Limbo will respond — full agent with personality, memory logic, and vault tools.
-#### OpenClaw client
+#### ZeroClaw client
-Any [OpenClaw](https://openclaw.dev)-compatible chat client can connect to:
+Any ZeroClaw-compatible chat client can connect via WebSocket to:
 ```
 ws://localhost:18789
@@ -131,9 +131,8 @@ Managed automatically by `npx limbo-ai start`, stored in `~/.limbo/.env`.
 | `TELEGRAM_ENABLED` | no | `false` | Enable Telegram bot integration |
 | `TELEGRAM_BOT_TOKEN` | no | — | Telegram bot token (required if `TELEGRAM_ENABLED=true`) |
 | `TELEGRAM_AUTO_PAIR_FIRST_DM` | no | `false` | Auto-approves the first Telegram DM sender and persists access (must opt-in explicitly) |
-| `OPENCLAW_GATEWAY_TOKEN` | no | generated | Stable gateway token for OpenClaw-compatible clients |
-> \* API keys are required only for `AUTH_MODE=api-key`. Subscription auth uses OpenClaw auth profiles instead.
+> \* API keys are required only for `AUTH_MODE=api-key`. Subscription auth uses ZeroClaw auth profiles instead.
 ---
@@ -159,7 +158,7 @@ Full tool specs in `workspace/TOOLS.md`.
 │              Docker Container           │
 │                                         │
 │  ┌─────────────┐    ┌────────────────┐  │
-│  │  OpenClaw   │◄──►│  LLM (Claude   │  │
+│  │  ZeroClaw   │◄──►│  LLM (Claude   │  │
 │  │  Gateway    │    │  or OpenAI)    │  │
 │  │  :18789     │    └────────┬───────┘  │
 │  └──────┬──────┘             │          │
@@ -174,7 +173,7 @@ Full tool specs in `workspace/TOOLS.md`.
 └─────────────────────────────────────────┘
 ```
-- **OpenClaw** — gateway that handles client connections, routes to the LLM, and integrates MCP tools
+- **ZeroClaw** — lightweight Rust gateway that handles client connections, routes to the LLM, and integrates MCP tools
 - **MCP server** — Node.js server providing vault read/write tools
 - **Vault** — plain markdown files with YAML frontmatter, persisted in a named Docker volume
 - **Migrations** — lightweight Node.js migration runner for vault schema changes

package/SECURITY.md CHANGED Viewed

@@ -10,14 +10,14 @@ Limbo runs inside a Docker container with the following hardening:
 - **Capabilities dropped**: All Linux capabilities are dropped (`cap_drop: ALL`)
 - **Process limit**: PID limit of 200 prevents fork bombs
 - **Loopback binding**: Gateway only listens on `127.0.0.1` — not exposed to LAN
-- **Writable paths**: Only `/data` (volume), `/home/limbo/.openclaw` (volume), `/tmp` (tmpfs), and `/home/limbo/.npm` (tmpfs) are writable
+- **Writable paths**: Only `/data` (volume), `/home/limbo/.zeroclaw` (volume), `/tmp` (tmpfs), and `/home/limbo/.npm` (tmpfs) are writable
 ## What Agents Can Access
 Inside the container, the AI agent can:
 - Read and write vault notes in `/data/vault/` (via MCP tools only)
-- Execute MCP tools registered through mcporter (vault_search, vault_read, vault_write_note, vault_update_map)
+- Execute MCP tools registered through ZeroClaw native MCP (vault_search, vault_read, vault_write_note, vault_update_map)
 - Search the web and fetch URLs (`web_search`, `web_fetch` — enabled for recommendations, link previews, etc.)
 - Respond to Telegram messages (if enabled, with pairing required)
 - Make network requests to AI provider APIs (Anthropic, OpenAI, OpenRouter)
@@ -36,9 +36,9 @@ Inside the container, the AI agent can:
 - **Access host filesystem**: Only the bind-mounted vault directory is accessible
 - **Spawn unlimited processes**: PID limit of 200
-## OpenClaw Tool Policy
+## ZeroClaw Tool Policy
-The agent runs with `tools.profile: "messaging"` — the most restrictive built-in profile. On top of that:
+The agent runs with the most restrictive tool profile. On top of that:
 - **Allowed**: `web_search`, `web_fetch` (for link previews, shopping recommendations, general web queries)
 - **Denied**: `exec`, `browser`, `canvas`, `nodes`, `cron`, `gateway`, `sessions_spawn`, `sessions_send`, `process`, `image`, `group:automation`, `group:runtime`, `group:fs`
@@ -57,19 +57,18 @@ API keys are stored as Docker Compose secrets:
 - **Not in environment**: Secrets are scrubbed from the process environment before the gateway starts
 - **Not in `docker inspect`**: Docker secrets don't appear in container inspect output
 - **`.env` file**: Only contains non-sensitive configuration (model provider, model name, language, etc.)
-- **Exception**: `OPENCLAW_GATEWAY_TOKEN` remains in the process environment because the gateway process needs it to validate incoming WebSocket connections. All other secrets (API keys, bot tokens) are scrubbed before exec
+- **Gateway auth**: ZeroClaw manages its own gateway authentication internally. All secrets (API keys, bot tokens) are scrubbed from the process environment before the daemon starts
-## OpenClaw Security
+## ZeroClaw Security
-Limbo uses OpenClaw in a **personal assistant trust model** (one trusted operator per gateway). Key settings:
+Limbo uses ZeroClaw in a **personal assistant trust model** (one trusted operator per gateway). Key settings in `config.toml`:
-- `gateway.mode: "local"` — local operation only
-- `gateway.bind: "loopback"` — no network exposure
-- `gateway.auth.mode: "token"` — all WebSocket clients must authenticate
-- `session.dmScope: "per-channel-peer"` — DM sessions are isolated per sender (when using Telegram)
-- `dmPolicy: "pairing"` — unknown Telegram senders must be explicitly approved
-For more on OpenClaw's security model: https://docs.openclaw.ai/security
+- `[gateway] host = "127.0.0.1"` — loopback only, no LAN exposure
+- `[gateway] allow_public_bind = false` — prevents binding to all interfaces
+- `[gateway.auth] mode = "token"` — all WebSocket clients must present a valid token
+- `[gateway.auth] token_file = "/run/secrets/gateway_token"` — reads auth token from Docker secret
+- `[session] dm_scope = "per-channel-peer"` — DM sessions are isolated per sender (when using Telegram)
+- `[channels.telegram] dm_policy = "pairing"` — unknown Telegram senders must be explicitly approved
 ## Network Access
@@ -106,4 +105,4 @@ If you discover a security vulnerability in Limbo:
 3. Include: description, reproduction steps, affected version, and impact assessment
 4. We will acknowledge within 48 hours and work on a fix
-For vulnerabilities in OpenClaw itself, follow their responsible disclosure process at https://docs.openclaw.ai/security
+For vulnerabilities in ZeroClaw itself, follow their responsible disclosure process at https://github.com/zeroclaw-labs/zeroclaw/security