memory-privacy 1.1.0

package/filters.ts

@@ -0,0 +1,204 @@
+import type { SessionIdentity } from "./identity.js";
+import {
+  extractGroupIdFromPath,
+  extractDateFromPath,
+  extractKnowledgeBaseId,
+  isWithinMembershipPeriod,
+  loadKnowledgeACL,
+  toRelativeMemoryPath,
+} from "./utils.js";
+
+/**
+ * 过滤 memory_search 结果，按身份隔离
+ */
+export function filterResultsByIdentity(
+  results: any,
+  identity: SessionIdentity,
+  workspaceDir: string
+): any {
+  // results 是 AgentToolResult: { content, details }
+  // details 中通常包含 results 数组，每项有 path 字段
+  if (!results || !results.details) return results;
+
+  const details = results.details;
+
+  // memory_search 返回的 details 可能有 results 数组
+  if (Array.isArray(details.results)) {
+    const filtered = details.results.filter((r: any) => {
+      const rawPath: string = r.path || r.filePath || "";
+      const relPath = toRelativeMemoryPath(rawPath, workspaceDir);
+      return isPathAllowedRelative(relPath, identity, workspaceDir);
+    });
+
+    return {
+      ...results,
+      content: results.content.map((c: any) => {
+        if (c.type === "text" && typeof c.text === "string") {
+          // Rewrite the text content to reflect filtered results
+          return {
+            ...c,
+            text: filtered.length > 0
+              ? `Found ${filtered.length} result(s).`
+              : "No results found.",
+          };
+        }
+        return c;
+      }),
+      details: { ...details, results: filtered },
+    };
+  }
+
+  // If results is an array directly
+  if (Array.isArray(details)) {
+    const filtered = details.filter((r: any) => {
+      const rawPath: string = r.path || r.filePath || "";
+      const relPath = toRelativeMemoryPath(rawPath, workspaceDir);
+      return isPathAllowedRelative(relPath, identity, workspaceDir);
+    });
+
+    return {
+      ...results,
+      details: filtered,
+    };
+  }
+
+  return results;
+}
+
+/**
+ * 检查相对路径是否允许访问（用于 memory_search 过滤和 memory_get 检查）
+ */
+function isPathAllowedRelative(
+  relPath: string,
+  identity: SessionIdentity,
+  workspaceDir: string
+): boolean {
+  // 元数据文件永远不返回（包括 owner）
+  if (relPath.endsWith("/_members.json") || relPath.endsWith("/_acl.json")) {
+    return false;
+  }
+
+  // owner 可以访问 memory/ 下的所有文件（元数据除外，已在上面拦截）
+  if (identity.type === "owner") {
+    return relPath.startsWith("memory/");
+  }
+
+  // 以下为非 owner（peer / group）的权限判定
+
+  // owner/ 目录 — 非 owner 一律拒绝
+  if (relPath.startsWith("memory/owner/")) {
+    return false;
+  }
+
+  // memory/ 根目录下的散落文件（如 memory/2026-03-19.md）— 非 owner 拒绝
+  // 合法文件应在 peers/groups/knowledge 子目录中
+  const thirdSegment = relPath.split("/")[1] || "";
+  if (thirdSegment && !["owner", "peers", "groups", "knowledge"].includes(thirdSegment)) {
+    return false;
+  }
+
+  // peers/ 目录
+  if (relPath.startsWith("memory/peers/")) {
+    if (identity.type === "peer") {
+      // OpenClaw 会把 sessionKey 转小写，但目录名保留原始大小写，需忽略大小写
+      const lowerPath = relPath.toLowerCase();
+      return lowerPath.startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`);
+    }
+    return false; // group session 不能访问 peers/
+  }
+
+  // groups/ 目录
+  if (relPath.startsWith("memory/groups/")) {
+    const groupId = extractGroupIdFromPath(relPath);
+
+    if (identity.type === "group") {
+      return groupId.toLowerCase() === identity.groupId.toLowerCase();
+    }
+
+    if (identity.type === "peer") {
+      // 私聊中访问群记忆：按 _members.json 时间线过滤
+      const fileDate = extractDateFromPath(relPath);
+      if (!fileDate) return false;
+      return isWithinMembershipPeriod(workspaceDir, groupId, identity.peerId, fileDate);
+    }
+
+    return false;
+  }
+
+  // knowledge/ 目录
+  if (relPath.startsWith("memory/knowledge/")) {
+    return isKnowledgeAccessAllowed(relPath, identity, workspaceDir);
+  }
+
+  // 未知路径，默认拒绝
+  return false;
+}
+
+/**
+ * 检查路径是否允许访问（支持绝对路径和相对路径）
+ */
+export function isPathAllowed(
+  filePath: string,
+  identity: SessionIdentity,
+  workspaceDir: string
+): boolean {
+  const relPath = toRelativeMemoryPath(filePath, workspaceDir);
+  return isPathAllowedRelative(relPath, identity, workspaceDir);
+}
+
+/**
+ * 检查知识库是否允许访问
+ */
+function isKnowledgeAccessAllowed(
+  relPath: string,
+  identity: SessionIdentity,
+  workspaceDir: string
+): boolean {
+  const acl = loadKnowledgeACL(workspaceDir);
+  const kbId = extractKnowledgeBaseId(relPath);
+  const kbAcl = acl[kbId];
+
+  if (!kbAcl) return false;
+  if (kbAcl.rules.public) return true;
+
+  switch (identity.type) {
+    case "owner": return true;
+    case "peer": {
+      const lp = identity.peerId.toLowerCase();
+      return (
+        kbAcl.rules.userids?.some((u: string) => u.toLowerCase() === lp) ||
+        kbAcl.rules.allowUsers?.some((u: string) => u.toLowerCase() === lp)
+      ) ?? false;
+    }
+    case "group": return kbAcl.rules.allowGroups?.some((g: string) => g.toLowerCase() === identity.groupId.toLowerCase()) ?? false;
+    default: return false;
+  }
+}
+
+/**
+ * 根据身份获取写入目标目录（相对路径）
+ */
+export function getTargetDir(identity: SessionIdentity): string {
+  switch (identity.type) {
+    case "owner": return "memory/owner/";
+    case "peer": return `memory/peers/${identity.peerId}/`;
+    case "group": return `memory/groups/${identity.groupId}/`;
+  }
+}
+
+/**
+ * 检查写入路径是否已经在正确目录中（支持绝对路径和相对路径）
+ */
+export function isWritePathCorrect(filePath: string, identity: SessionIdentity): boolean {
+  const lowerPath = filePath.toLowerCase();
+  switch (identity.type) {
+    case "owner":
+      return lowerPath.includes("/memory/owner/") || lowerPath.startsWith("memory/owner/");
+    case "peer":
+      return lowerPath.includes(`/memory/peers/${identity.peerId.toLowerCase()}/`) ||
+             lowerPath.startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`);
+    case "group":
+      return lowerPath.includes(`/memory/groups/${identity.groupId.toLowerCase()}/`) ||
+             lowerPath.startsWith(`memory/groups/${identity.groupId.toLowerCase()}/`);
+  }
+}

package/identity.ts

@@ -0,0 +1,46 @@
+export type SessionIdentity =
+  | { type: "owner"; userId: string }
+  | { type: "peer"; peerId: string }
+  | { type: "group"; groupId: string };
+
+/**
+ * 从 sessionKey 解析会话身份
+ *
+ * sessionKey 格式（最后一段用 : 分隔的是会话ID）：
+ *   单聊: agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_release_{releaseName}
+ *   群聊: agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_group_{groupID}_release_{releaseName}
+ */
+export function resolveSessionIdentity(sessionKey: string | undefined, config: any): SessionIdentity {
+  const sk = sessionKey ?? "";
+  // 取最后一段（会话ID）
+  const sessionPart = sk.split(":").pop() || "";
+
+  // 1. 群聊：包含 _group_
+  const groupMatch = sessionPart.match(/user_(.+?)_lobster_(.+?)_group_(.+?)_release_(.+)$/);
+  if (groupMatch) {
+    return { type: "group", groupId: groupMatch[3] };
+  }
+
+  // 2. 私聊
+  const peerMatch = sessionPart.match(/user_(.+?)_lobster_(.+?)_release_(.+)$/);
+  if (peerMatch) {
+    const userID = peerMatch[1];
+    if (isOwner(userID, config)) return { type: "owner", userId: userID };
+    return { type: "peer", peerId: userID };
+  }
+
+  // 3. 兜底：未知 session 按 peer 处理（安全优先）
+  return { type: "peer", peerId: "unknown" };
+}
+
+/**
+ * 判断 userId 是否是主人
+ * 对比 openclaw.json 中的 commands.ownerAllowFrom 列表
+ */
+export function isOwner(userId: string, config: any): boolean {
+  const ownerList: (string | number)[] = config?.commands?.ownerAllowFrom ?? [];
+  return ownerList.some(entry => {
+    const entryStr = String(entry);
+    return entryStr === userId || entryStr === "*";
+  });
+}

package/index.ts

@@ -0,0 +1,504 @@
+import path from "path";
+import fs from "fs";
+import { resolveSessionIdentity } from "./identity.js";
+import { filterResultsByIdentity, isPathAllowed, getTargetDir, isWritePathCorrect } from "./filters.js";
+import { getAllowedDirs, loadAllowedMemoryContent } from "./utils.js";
+
+export default {
+  id: "memory-privacy",
+  name: "Memory Privacy Isolation",
+  description: "Multi-user memory isolation for IM + OpenClaw",
+
+  register(api: any) {
+    const config = api.config;
+    const workspaceDir: string =
+      api.runtime?.config?.agents?.defaults?.workspace ??
+      api.config?.agents?.defaults?.workspace ??
+      process.env.OPENCLAW_WORKSPACE ??
+      process.cwd();
+
+    api.logger.info(`[memory-privacy] workspaceDir: ${workspaceDir}`);
+
+    // ====================================================================
+    // 钩子 1: before_prompt_build — 用 memory_search 检索相关记忆注入上下文
+    // ====================================================================
+    api.on("before_prompt_build", async (event: any, ctx: any) => {
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+      const wsDir = ctx.workspaceDir || workspaceDir;
+
+      // 从 event.messages 提取用户最新消息作为搜索 query
+      const messages = event.messages || [];
+      const lastUserMsg = [...messages].reverse().find((m: any) => m.role === "user");
+      let query = "";
+      if (lastUserMsg) {
+        const content = lastUserMsg.content;
+        if (typeof content === "string") query = content;
+        else if (Array.isArray(content)) {
+          query = content.filter((c: any) => c.type === "text").map((c: any) => c.text || "").join(" ");
+        }
+      }
+
+      let memoryBlock = "";
+
+      if (query) {
+        try {
+          // 用内置 memory_search 搜索相关记忆
+          const searchTool = api.runtime.tools.createMemorySearchTool({
+            config: ctx.config || config,
+            agentSessionKey: ctx.sessionKey,
+          });
+
+          if (searchTool) {
+            const rawResults = await searchTool.execute("prompt-build-search", { query });
+            // 按身份权限过滤结果
+            const filtered = filterResultsByIdentity(rawResults, identity, wsDir);
+            const details = filtered?.details;
+            const results = Array.isArray(details?.results) ? details.results : [];
+            const snippets = results
+              .map((r: any) => r.snippet || "")
+              .filter((s: string) => s.length > 0);
+
+            if (snippets.length > 0) {
+              memoryBlock = `\n\n${snippets.join("\n\n")}`;
+            }
+          } else {
+            // memory_search 不可用，回退到全量加载
+            const fallback = loadAllowedMemoryContent(wsDir, identity);
+            if (fallback) memoryBlock = `\n\n${fallback}`;
+          }
+        } catch {
+          // 搜索失败，回退到全量加载
+          const fallback = loadAllowedMemoryContent(wsDir, identity);
+          if (fallback) memoryBlock = `\n\n${fallback}`;
+        }
+      }
+
+      switch (identity.type) {
+        case "owner":
+          return {
+            prependContext:
+              `[SYSTEM] 你是主人的私人助理，像正常对话一样自然回复。` +
+              memoryBlock,
+          };
+
+        case "peer":
+          return {
+            prependContext:
+              `[SYSTEM] 你是一个私人助理，像正常对话一样自然回复。\n` +
+              memoryBlock,
+          };
+
+        case "group":
+          return {
+            prependContext:
+              `[SYSTEM] 你是群助理，像正常对话一样自然回复。\n` +
+              memoryBlock,
+          };
+      }
+    });
+
+    // ====================================================================
+    // 钩子 2: registerTool — 包装 memory_search / memory_get
+    // ====================================================================
+    api.registerTool(
+      (ctx: any) => {
+        const identity = resolveSessionIdentity(ctx.sessionKey, config);
+        const wsDir = ctx.workspaceDir || workspaceDir;
+
+        const originalSearchTool = api.runtime.tools.createMemorySearchTool({
+          config: ctx.config || config,
+          agentSessionKey: ctx.sessionKey,
+        });
+
+        const originalGetTool = api.runtime.tools.createMemoryGetTool({
+          config: ctx.config || config,
+          agentSessionKey: ctx.sessionKey,
+        });
+
+        const tools: any[] = [];
+
+        if (originalSearchTool) {
+          const wrappedSearchTool = {
+            ...originalSearchTool,
+            execute: async (
+              toolCallId: string,
+              params: Record<string, unknown>,
+              signal?: AbortSignal,
+              onUpdate?: any
+            ) => {
+              const results = await originalSearchTool.execute(toolCallId, params, signal, onUpdate);
+              return filterResultsByIdentity(results, identity, wsDir);
+            },
+          };
+          tools.push(wrappedSearchTool);
+        }
+
+        if (originalGetTool) {
+          const wrappedGetTool = {
+            ...originalGetTool,
+            execute: async (
+              toolCallId: string,
+              params: Record<string, unknown>,
+              signal?: AbortSignal,
+              onUpdate?: any
+            ) => {
+              const filePath = (params.path || params.filePath || "") as string;
+              if (filePath && !isPathAllowed(filePath, identity, wsDir)) {
+                return {
+                  content: [{ type: "text" as const, text: "No results found." }],
+                  details: { error: "access_denied" },
+                };
+              }
+              return originalGetTool.execute(toolCallId, params, signal, onUpdate);
+            },
+          };
+          tools.push(wrappedGetTool);
+        }
+
+        return tools.length > 0 ? tools : null;
+      },
+      { names: ["memory_search", "memory_get"] }
+    );
+
+    // ====================================================================
+    // 钩子 3: before_tool_call — 写入拦截 + 重定向
+    // ====================================================================
+    api.on("before_tool_call", (event: any, ctx: any) => {
+      const toolName = event.toolName;
+
+      // 拦截所有写入类工具（file_write / write / file_edit / edit / memory_add）
+      const isWriteTool =
+        toolName === "file_write" || toolName === "write" ||
+        toolName === "file_edit" || toolName === "edit" ||
+        toolName === "memory_add";
+      if (!isWriteTool) return;
+
+      const filePath = (event.params?.path || event.params?.filePath || event.params?.file_path || "") as string;
+      if (!filePath) return;
+
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+      const lowerFilePath = filePath.toLowerCase();
+
+      // --- MEMORY.md 写入保护（非 owner 阻止）---
+      if (lowerFilePath.endsWith("/memory.md") || lowerFilePath.endsWith("\\memory.md") || lowerFilePath === "memory.md") {
+        if (identity.type !== "owner") {
+          return { block: true, blockReason: "Access denied." };
+        }
+        return; // owner 可以正常写 MEMORY.md
+      }
+
+      // --- USER.md 写入保护（group session 阻止）---
+      if (lowerFilePath.endsWith("/user.md") || lowerFilePath.endsWith("\\user.md") || lowerFilePath === "user.md") {
+        if (identity.type === "group") {
+          return { block: true, blockReason: "Access denied." };
+        }
+        return; // owner / peer 可以写 USER.md
+      }
+
+      // --- 以下只处理 memory/ 目录下的写入 ---
+      // 检查路径是否涉及 memory/ 目录（绝对路径或相对路径）
+      const touchesMemoryDir =
+        lowerFilePath.includes("/memory/") ||
+        lowerFilePath.startsWith("memory/") ||
+        lowerFilePath.startsWith("memory\\");
+      if (!touchesMemoryDir) return;
+
+      // 阻止写入元数据文件
+      if (lowerFilePath.endsWith("/_members.json") || lowerFilePath.endsWith("/_acl.json")) {
+        return { block: true, blockReason: "Access denied." };
+      }
+
+      // 阻止直接写入 knowledge/
+      if (lowerFilePath.includes("/memory/knowledge/") || lowerFilePath.includes("memory/knowledge/")) {
+        return { block: true, blockReason: "Access denied." };
+      }
+
+      // 已经在正确目录中的写入不需要重定向
+      if (isWritePathCorrect(filePath, identity)) return;
+
+      // 重定向到正确目录（与 im-sync 的结构一致：memory/peers/{peerId}/xxx）
+      const filename = filePath.split("/").pop() || filePath.split("\\").pop() || "";
+      const wsDir = ctx.workspaceDir || workspaceDir;
+      const targetDir = getTargetDir(identity);
+      const correctedPath = path.join(wsDir, targetDir, filename);
+
+      api.logger.info(`[memory-privacy] Redirecting write: ${filePath} → ${correctedPath}`);
+
+      // 同时设置所有可能的路径参数名，确保不同工具都能接收
+      const correctedParams = { ...event.params };
+      if (event.params?.path !== undefined) correctedParams.path = correctedPath;
+      if (event.params?.filePath !== undefined) correctedParams.filePath = correctedPath;
+      if (event.params?.file_path !== undefined) correctedParams.file_path = correctedPath;
+      // 如果原始参数只用了一个名称，也要确保最常用的 path 被设置
+      if (!correctedParams.path && !correctedParams.filePath && !correctedParams.file_path) {
+        correctedParams.path = correctedPath;
+      }
+
+      return { params: correctedParams };
+    }, { priority: 10 });
+
+    // ====================================================================
+    // 钩子 4: before_tool_call — 读取拦截（file_read / read）
+    // ====================================================================
+    api.on("before_tool_call", (event: any, ctx: any) => {
+      if (event.toolName !== "file_read" && event.toolName !== "read") return;
+
+      const filePath = (event.params?.path || event.params?.filePath || event.params?.file_path || "") as string;
+      if (!filePath) return;
+
+      const wsDir = ctx.workspaceDir || workspaceDir;
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+
+      // 拦截 memory/ 路径的读取
+      if (filePath.includes("/memory/") || filePath.includes("memory/")) {
+        if (!isPathAllowed(filePath, identity, wsDir)) {
+          return { block: true, blockReason: "Access denied." };
+        }
+      }
+
+      // 拦截 MEMORY.md 的读取（peer/group session 不可读）
+      const lowerFilePath = filePath.toLowerCase();
+      if (lowerFilePath.endsWith("/memory.md") || lowerFilePath.endsWith("\\memory.md") || lowerFilePath === "memory.md") {
+        if (identity.type !== "owner") {
+          return { block: true, blockReason: "Access denied." };
+        }
+      }
+
+      // 拦截 USER.md 的读取（group session 不可读）
+      if (lowerFilePath.endsWith("/user.md") || lowerFilePath.endsWith("\\user.md") || lowerFilePath === "user.md") {
+        if (identity.type === "group") {
+          return { block: true, blockReason: "Access denied." };
+        }
+      }
+    }, { priority: 10 });
+
+    // ====================================================================
+    // 钩子 5: before_tool_call — exec/process 拦截
+    // 思路：不做字符串替换（太容易绕过），而是直接将涉及 memory/workspace 的
+    // 命令中的搜索路径替换为 getAllowedDirs 返回的所有有权限目录
+    // ====================================================================
+    api.on("before_tool_call", (event: any, ctx: any) => {
+      if (event.toolName !== "exec" && event.toolName !== "process") return;
+
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+      if (identity.type === "owner") return;
+
+      const command = (event.params?.command || event.params?.cmd || "") as string;
+      if (!command) return;
+
+      // MEMORY.md / USER.md 始终拦截非 owner（大小写不敏感）
+      const lowerCommand = command.toLowerCase();
+      if (lowerCommand.includes("memory.md") || lowerCommand.includes("user.md")) {
+        return { block: true, blockReason: "Access denied." };
+      }
+
+      const memoryDir = path.join(workspaceDir, "memory");
+
+      // 检测命令是否涉及 memory 目录（绝对路径 + 相对路径）
+      const touchesMemory =
+        command.includes(memoryDir) ||
+        command.includes("/memory/") ||
+        command.includes("/memory ") ||
+        /(?:^|[\s;|&"'(])memory(?:[/\s]|$)/.test(command);
+
+      // 检测命令是否涉及 workspace 根目录或当前目录（会递归扫描到 memory）
+      // 包括: find /workspace ..., ls ., 以及隐式使用 cwd 的命令（如 bare ls, bare find .）
+      const touchesWorkspaceRoot =
+        command.includes(workspaceDir + " ") ||
+        command.includes(workspaceDir + "/") ||
+        command.includes(workspaceDir + "\"") ||
+        command.includes(workspaceDir + "'") ||
+        command.endsWith(workspaceDir) ||
+        /(?:^|[\s;|&"'(])\.(?:[\s/;|&"')]|$)/.test(command) ||
+        /^(ls|find|tree|du)(\s+-[^\s]*)*\s*$/.test(command.trim());  // bare ls/find/tree/du (no path arg)
+
+      if (!touchesMemory && !touchesWorkspaceRoot) return;
+
+      // 获取用户有权限的所有目录
+      const wsDir = ctx.workspaceDir || workspaceDir;
+      const allowedDirs = getAllowedDirs(wsDir, identity);
+
+      if (allowedDirs.length === 0) {
+        return { block: true, blockReason: "Access denied." };
+      }
+
+      // 用空格拼接所有允许的目录路径，作为搜索目标
+      const allowedPathsStr = allowedDirs.map(d => `"${d}"`).join(" ");
+
+      // 只执行一种替换，避免多次替换导致路径重复（如 memory/peers/user_b/memory/peers/user_b/）
+      let rewritten = command;
+      let replaced = false;
+
+      // 优先替换绝对路径（最精确）
+      if (!replaced && command.includes(memoryDir)) {
+        // 匹配 memoryDir 及其后面可能跟随的 / 和子路径，整体替换
+        const memoryDirEscaped = memoryDir.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        rewritten = rewritten.replace(
+          new RegExp(memoryDirEscaped + "[^\\s;|&\"']*", "g"),
+          allowedPathsStr
+        );
+        replaced = true;
+      }
+
+      // 替换相对路径引用（memory/ 或 memory 作为独立词）
+      if (!replaced && touchesMemory) {
+        rewritten = rewritten.replace(
+          /(?<=^|[\s;|&"'(])memory[^\s;|&"']*/g,
+          allowedPathsStr
+        );
+        replaced = true;
+      }
+
+      // 替换 workspace 根目录引用 或 隐式 cwd 命令
+      if (!replaced && touchesWorkspaceRoot) {
+        if (command.includes(workspaceDir)) {
+          // 替换绝对 workspace 路径及其后面可能的子路径
+          const wsDirEscaped = workspaceDir.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+          rewritten = rewritten.replace(
+            new RegExp(wsDirEscaped + "[^\\s;|&\"']*", "g"),
+            allowedPathsStr
+          );
+        } else if (/(?:^|[\s;|&"'(])\.(?:[\s/;|&"')]|$)/.test(command)) {
+          // 替换 "." 当前目录
+          rewritten = rewritten.replace(
+            /(?<=^|[\s;|&"'(])\.(?=[\s/;|&"')]|$)/g,
+            allowedPathsStr
+          );
+        } else {
+          // bare 命令（如 ls -la），追加允许的目录到命令末尾
+          rewritten = command.trimEnd() + " " + allowedPathsStr;
+        }
+      }
+
+      api.logger.info(`[memory-privacy] Rewriting exec: ${command} → ${rewritten}`);
+
+      return { params: { ...event.params, command: rewritten, cmd: rewritten } };
+    }, { priority: 10 });
+
+    // ====================================================================
+    // 钩子 6: before_tool_call — memory_get 读取拦截
+    // registerTool 包装未生效（添加新工具而非替换），用 before_tool_call 可靠拦截
+    // ====================================================================
+    api.on("before_tool_call", (event: any, ctx: any) => {
+      if (event.toolName !== "memory_get") return;
+
+      const filePath = (event.params?.path || event.params?.filePath || event.params?.file_path || "") as string;
+      if (!filePath) return;
+
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+      if (identity.type === "owner") return;
+
+      // 拦截 MEMORY.md（非 owner 不可读）
+      const lowerFilePath = filePath.toLowerCase();
+      if (lowerFilePath.endsWith("/memory.md") || lowerFilePath.endsWith("\\memory.md") || lowerFilePath === "memory.md") {
+        return { block: true, blockReason: "No results found." };
+      }
+
+      // 拦截 USER.md（group session 不可读）
+      if (lowerFilePath.endsWith("/user.md") || lowerFilePath.endsWith("\\user.md") || lowerFilePath === "user.md") {
+        if (identity.type === "group") {
+          return { block: true, blockReason: "No results found." };
+        }
+      }
+
+      const wsDir = ctx.workspaceDir || workspaceDir;
+      if (!isPathAllowed(filePath, identity, wsDir)) {
+        return { block: true, blockReason: "No results found." };
+      }
+    }, { priority: 10 });
+
+    // ====================================================================
+    // 钩子 7: agent_end — 将 agent 对话同步到 memory 文件
+    // ====================================================================
+    api.on("agent_end", (event: any, ctx: any) => {
+      const identity = resolveSessionIdentity(ctx.sessionKey, config);
+      const wsDir = ctx.workspaceDir || workspaceDir;
+      const messages = event.messages || [];
+
+      // 提取用户最新消息
+      const lastUserMsg = [...messages].reverse().find((m: any) => m.role === "user");
+      // 提取虾的最新回复（只取纯文本，过滤 toolCall）
+      const lastAssistantMsg = [...messages].reverse().find((m: any) => m.role === "assistant");
+
+      const userText = extractText(lastUserMsg);
+      const assistantText = extractText(lastAssistantMsg);
+      if (!userText && !assistantText) return;
+
+      // 确定写入路径
+      const now = new Date();
+      const date = dateStr(now);
+      const time = timeStr(now);
+      let filePath: string;
+      let header: string;
+
+      switch (identity.type) {
+        case "owner":
+          filePath = path.join(wsDir, "memory/owner", `${date}.md`);
+          header = `# 主人对话\n\n`;
+          break;
+        case "peer":
+          filePath = path.join(wsDir, `memory/peers/${identity.peerId}`, `${date}.md`);
+          header = `# 与 ${identity.peerId} 的对话\n\n`;
+          break;
+        case "group":
+          filePath = path.join(wsDir, `memory/groups/${identity.groupId}`, `${date}.md`);
+          header = `# 群聊: ${identity.groupId}\n\n`;
+          break;
+      }
+
+      // 文件不存在则创建（含目录）
+      ensureFileWithHeader(filePath!, header!);
+      // 追加写入（格式与 im-sync 一致）
+      if (userText) fs.appendFileSync(filePath!, `[${time}] ${getUserId(identity)}: ${userText}\n`);
+      if (assistantText) fs.appendFileSync(filePath!, `[${time}] 某只虾: ${assistantText}\n`);
+    });
+
+    api.logger.info("[memory-privacy] Plugin registered successfully.");
+  },
+};
+
+/** 从消息中提取纯文本（过滤 toolCall） */
+function extractText(msg: any): string {
+  if (!msg) return "";
+  const content = msg.content;
+  if (typeof content === "string") return content.trim();
+  if (Array.isArray(content)) {
+    return content
+      .filter((c: any) => c.type === "text")
+      .map((c: any) => c.text || "")
+      .join(" ")
+      .trim();
+  }
+  return "";
+}
+
+/** 日期字符串 YYYY-MM-DD */
+function dateStr(d: Date): string {
+  return d.toISOString().slice(0, 10);
+}
+
+/** 时间字符串 HH:MM */
+function timeStr(d: Date): string {
+  return d.toTimeString().slice(0, 5);
+}
+
+/** 确保文件存在，不存在则创建目录和文件（含 header） */
+function ensureFileWithHeader(filePath: string, header: string): void {
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  if (!fs.existsSync(filePath)) {
+    fs.writeFileSync(filePath, header);
+  }
+}
+
+/** 根据身份获取用户标识 */
+function getUserId(identity: { type: string; userId?: string; peerId?: string; groupId?: string }): string {
+  switch (identity.type) {
+    case "owner": return identity.userId || "owner";
+    case "peer": return identity.peerId || "unknown";
+    case "group": return "user";
+    default: return "unknown";
+  }
+}

package/openclaw.plugin.json

@@ -0,0 +1,10 @@
+{
+  "id": "memory-privacy",
+  "name": "Memory Privacy Isolation",
+  "description": "Multi-user memory isolation for IM + OpenClaw",
+  "configSchema": {
+    "type": "object",
+    "additionalProperties": false,
+    "properties": {}
+  }
+}

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "memory-privacy",
+  "version": "1.1.0",
+  "type": "module",
+  "main": "index.ts",
+  "files": [
+    "*.ts",
+    "openclaw.plugin.json",
+    "!*.test.ts"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "openclaw": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "devDependencies": {
+    "vitest": "^4.1.0"
+  }
+}

package/utils.ts

@@ -0,0 +1,321 @@
+import fs from "fs";
+import path from "path";
+import type { SessionIdentity } from "./identity.js";
+
+// ========== 类型定义 ==========
+
+export interface MemberPeriod {
+  joined: number;   // Unix 毫秒时间戳
+  left: number | null;
+  reason?: string;
+}
+
+export interface MemberInfo {
+  displayName: string;
+  periods: MemberPeriod[];
+}
+
+export interface MembersJson {
+  groupName?: string;
+  members: Record<string, MemberInfo>;
+}
+
+export interface KnowledgeBaseRule {
+  userids?: string[];
+  allowUsers?: string[];   // 兼容旧格式
+  allowGroups?: string[];
+  public?: boolean;
+}
+
+export interface KnowledgeBaseEntry {
+  name: string;
+  rules: KnowledgeBaseRule;
+}
+
+export type KnowledgeACL = Record<string, KnowledgeBaseEntry>;
+
+// ========== 路径解析 ==========
+
+/**
+ * 从路径中提取 groupId
+ * "memory/groups/grp_12345/2026-03-17.md" → "grp_12345"
+ */
+export function extractGroupIdFromPath(filePath: string): string {
+  const parts = filePath.split("/");
+  const groupsIndex = parts.indexOf("groups");
+  return groupsIndex >= 0 && parts[groupsIndex + 1] ? parts[groupsIndex + 1] : "unknown-group";
+}
+
+/**
+ * 从路径中提取日期
+ * "memory/groups/grp_12345/2026-03-17.md" → "2026-03-17"
+ * "memory/knowledge/engineering/api-design.md" → null
+ */
+export function extractDateFromPath(filePath: string): string | null {
+  const filename = filePath.split("/").pop() || "";
+  const match = filename.match(/^(\d{4}-\d{2}-\d{2})\.md$/);
+  return match ? match[1] : null;
+}
+
+/**
+ * 从路径中提取知识库 ID
+ * "memory/knowledge/engineering/api-design.md" → "engineering"
+ */
+export function extractKnowledgeBaseId(filePath: string): string {
+  const parts = filePath.split("/");
+  const knowledgeIndex = parts.indexOf("knowledge");
+  return knowledgeIndex >= 0 && parts[knowledgeIndex + 1] ? parts[knowledgeIndex + 1] : "unknown-kb";
+}
+
+// ========== 文件加载 ==========
+
+/**
+ * 加载 _members.json
+ */
+export function loadMembersRegistry(filePath: string): MembersJson | null {
+  try {
+    if (fs.existsSync(filePath)) {
+      return JSON.parse(fs.readFileSync(filePath, "utf-8"));
+    }
+  } catch {
+    // ignore parse errors
+  }
+  return null;
+}
+
+/**
+ * 加载知识库 ACL（带 mtime 缓存）
+ */
+let aclCache: { data: KnowledgeACL; mtime: number } | null = null;
+
+export function loadKnowledgeACL(workspaceDir: string): KnowledgeACL {
+  const aclPath = path.join(workspaceDir, "memory", "knowledge", "_acl.json");
+
+  try {
+    const stat = fs.statSync(aclPath);
+    if (aclCache && aclCache.mtime === stat.mtimeMs) {
+      return aclCache.data;
+    }
+
+    const content = fs.readFileSync(aclPath, "utf-8");
+    const data = JSON.parse(content) as KnowledgeACL;
+    aclCache = { data, mtime: stat.mtimeMs };
+    return data;
+  } catch {
+    return {};
+  }
+}
+
+// ========== 群成员时间线 ==========
+
+/**
+ * 检查某个用户在某个日期是否处于群成员期内
+ *
+ * 规则：fileTimestamp >= joined && (left === null || fileTimestamp < left)
+ * fileTimestamp = 文件日期 00:00:00 UTC
+ */
+export function isWithinMembershipPeriod(
+  workspaceDir: string,
+  groupId: string,
+  peerId: string,
+  fileDate: string // "2026-03-17"
+): boolean {
+  const registryPath = path.join(workspaceDir, "memory", "groups", groupId, "_members.json");
+  const registry = loadMembersRegistry(registryPath);
+
+  if (!registry) return false;
+
+  // OpenClaw 把 sessionKey 转小写，但 _members.json 里的 key 保留原始大小写
+  const lowerPeerId = peerId.toLowerCase();
+  const memberKey = Object.keys(registry.members).find(k => k.toLowerCase() === lowerPeerId);
+  const member = memberKey ? registry.members[memberKey] : undefined;
+  if (!member || !member.periods || member.periods.length === 0) return false;
+
+  const fileTimestamp = new Date(`${fileDate}T00:00:00Z`).getTime();
+
+  return member.periods.some((period) => {
+    const afterJoin = fileTimestamp >= period.joined;
+    const beforeLeft = period.left === null || fileTimestamp < period.left;
+    return afterJoin && beforeLeft;
+  });
+}
+
+/**
+ * 将绝对路径转为相对于 workspace 的 memory 路径
+ * "/path/to/workspace/memory/owner/2026-03-17.md" → "memory/owner/2026-03-17.md"
+ */
+export function toRelativeMemoryPath(absolutePath: string, workspaceDir: string): string {
+  const wsPrefix = workspaceDir.endsWith("/") ? workspaceDir : workspaceDir + "/";
+  if (absolutePath.startsWith(wsPrefix)) {
+    return absolutePath.slice(wsPrefix.length);
+  }
+  // Try to find memory/ in the path
+  const memIdx = absolutePath.indexOf("memory/");
+  if (memIdx >= 0) {
+    return absolutePath.slice(memIdx);
+  }
+  return absolutePath;
+}
+
+/**
+ * 获取某个身份有权限访问的所有 memory 子目录（绝对路径列表）
+ *
+ * peer: peers/{peerId}/ + _acl.json 中 userids 包含 peerId 的知识库 + _members.json 中当前在群的群组
+ * group: groups/{groupId}/ + _acl.json 中 allowGroups 包含 groupId 的知识库
+ * owner: memory/ 整个目录
+ */
+export function getAllowedDirs(wsDir: string, identity: SessionIdentity): string[] {
+  const memDir = path.join(wsDir, "memory");
+
+  if (identity.type === "owner") {
+    return [memDir];
+  }
+
+  const dirs: string[] = [];
+
+  if (identity.type === "peer") {
+    // 1. 自己的 peer 目录
+    dirs.push(path.join(memDir, "peers", identity.peerId));
+
+    // 2. 知识库：_acl.json 中 userids 包含该用户
+    const acl = loadKnowledgeACL(wsDir);
+    const lowerPeerId = identity.peerId.toLowerCase();
+    for (const [kbId, kbEntry] of Object.entries(acl)) {
+      const r = kbEntry.rules;
+      if (
+        r.public ||
+        r.userids?.some(u => u.toLowerCase() === lowerPeerId) ||
+        r.allowUsers?.some(u => u.toLowerCase() === lowerPeerId)
+      ) {
+        dirs.push(path.join(memDir, "knowledge", kbId));
+      }
+    }
+
+    // 3. 群组：_members.json 中 members 的 key 匹配且 left === null
+    const groupsDir = path.join(memDir, "groups");
+    try {
+      if (fs.existsSync(groupsDir)) {
+        for (const groupId of fs.readdirSync(groupsDir)) {
+          const groupPath = path.join(groupsDir, groupId);
+          if (!fs.statSync(groupPath).isDirectory()) continue;
+          const membersPath = path.join(groupPath, "_members.json");
+          const registry = loadMembersRegistry(membersPath);
+          if (!registry) continue;
+
+          const memberKey = Object.keys(registry.members)
+            .find(k => k.toLowerCase() === lowerPeerId);
+          if (!memberKey) continue;
+
+          const member = registry.members[memberKey];
+          const lastPeriod = member.periods?.[member.periods.length - 1];
+          if (lastPeriod && lastPeriod.left === null) {
+            dirs.push(groupPath);
+          }
+        }
+      }
+    } catch { /* ignore fs errors */ }
+  }
+
+  if (identity.type === "group") {
+    // 1. 自己的群组目录
+    dirs.push(path.join(memDir, "groups", identity.groupId));
+
+    // 2. 知识库
+    const acl = loadKnowledgeACL(wsDir);
+    const lowerGroupId = identity.groupId.toLowerCase();
+    for (const [kbId, kbEntry] of Object.entries(acl)) {
+      const r = kbEntry.rules;
+      if (
+        r.public ||
+        r.allowGroups?.some(g => g.toLowerCase() === lowerGroupId)
+      ) {
+        dirs.push(path.join(memDir, "knowledge", kbId));
+      }
+    }
+  }
+
+  return dirs;
+}
+
+/**
+ * 读取用户有权限的所有 memory 文件内容，拼接为一个字符串
+ * 跳过元数据文件（_members.json, _acl.json）
+ * maxChars: 最大字符数限制，防止注入过多内容撑爆上下文
+ */
+export function loadAllowedMemoryContent(
+  wsDir: string,
+  identity: SessionIdentity,
+  maxChars: number = 50000
+): string {
+  const dirs = getAllowedDirs(wsDir, identity);
+  const sections: string[] = [];
+  let totalChars = 0;
+
+  for (const dir of dirs) {
+    if (!fs.existsSync(dir)) continue;
+
+    const stat = fs.statSync(dir);
+    if (stat.isFile() && dir.endsWith(".md")) {
+      // 单个文件
+      const content = readMdFile(dir);
+      if (content && totalChars + content.length <= maxChars) {
+        sections.push(content);
+        totalChars += content.length;
+      }
+      continue;
+    }
+
+    if (!stat.isDirectory()) continue;
+
+    // 递归扫描目录下的 .md 文件
+    try {
+      const files = scanMdFiles(dir);
+      for (const filePath of files) {
+        if (totalChars >= maxChars) break;
+        const content = readMdFile(filePath);
+        if (content) {
+          const remaining = maxChars - totalChars;
+          const trimmed = content.length > remaining ? content.slice(0, remaining) + "\n...(truncated)" : content;
+          sections.push(trimmed);
+          totalChars += trimmed.length;
+        }
+      }
+    } catch { /* ignore fs errors */ }
+  }
+
+  return sections.join("\n\n");
+}
+
+/**
+ * 递归扫描目录下的所有 .md 文件（排除元数据文件）
+ */
+function scanMdFiles(dir: string): string[] {
+  const results: string[] = [];
+  try {
+    for (const entry of fs.readdirSync(dir)) {
+      // 跳过元数据文件
+      if (entry === "_members.json" || entry === "_acl.json") continue;
+
+      const fullPath = path.join(dir, entry);
+      const stat = fs.statSync(fullPath);
+      if (stat.isDirectory()) {
+        results.push(...scanMdFiles(fullPath));
+      } else if (entry.endsWith(".md")) {
+        results.push(fullPath);
+      }
+    }
+  } catch { /* ignore */ }
+  return results;
+}
+
+/**
+ * 读取单个 md 文件，返回纯内容（不暴露路径）
+ */
+function readMdFile(filePath: string): string | null {
+  try {
+    const content = fs.readFileSync(filePath, "utf-8").trim();
+    return content || null;
+  } catch {
+    return null;
+  }
+}