npm - memory-privacy - Versions diffs - 1.7.0 → 1.8.0 - Mend

memory-privacy 1.7.0 → 1.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/filters.ts CHANGED Viewed

@@ -1,57 +1,75 @@
 import type { SessionIdentity } from "./identity";
 import {
-  extractGroupIdFromPath,
   extractDateFromPath,
+  extractGroupIdFromPath,
   extractKnowledgeBaseId,
   isWithinMembershipPeriod,
   loadKnowledgeACL,
   toRelativeMemoryPath,
 } from "./utils";
-/**
- * 过滤 memory_search 结果，按身份隔离
- */
+type SearchResultEntry = Record<string, unknown> & {
+  path?: string;
+  filePath?: string;
+};
+type SearchContentEntry = Record<string, unknown> & {
+  type?: string;
+  text?: string;
+};
+type SearchDetails = Record<string, unknown> & {
+  results?: SearchResultEntry[];
+};
+type SearchToolResult = Record<string, unknown> & {
+  content?: SearchContentEntry[];
+  details?: SearchDetails | SearchResultEntry[];
+};
+function normalizeRelativePath(relPath: string): string {
+  return relPath.replace(/\\/g, "/");
+}
 export function filterResultsByIdentity(
-  results: any,
+  results: SearchToolResult | null | undefined,
   identity: SessionIdentity,
-  workspaceDir: string
-): any {
-  // results 是 AgentToolResult: { content, details }
-  // details 中通常包含 results 数组，每项有 path 字段
-  if (!results || !results.details) return results;
+  workspaceDir: string,
+): SearchToolResult | null | undefined {
+  if (!results?.details) {
+    return results;
+  }
   const details = results.details;
-  // memory_search 返回的 details 可能有 results 数组
-  if (Array.isArray(details.results)) {
-    const filtered = details.results.filter((r: any) => {
-      const rawPath: string = r.path || r.filePath || "";
+  if (Array.isArray((details as SearchDetails).results)) {
+    const filtered = ((details as SearchDetails).results ?? []).filter((result) => {
+      const rawPath = result.path || result.filePath || "";
       const relPath = toRelativeMemoryPath(rawPath, workspaceDir);
       return isPathAllowedRelative(relPath, identity, workspaceDir);
     });
+    const content = Array.isArray(results.content)
+      ? results.content.map((entry) => {
+          if (entry.type === "text" && typeof entry.text === "string") {
+            return {
+              ...entry,
+              text: filtered.length > 0 ? `Found ${filtered.length} result(s).` : "No results found.",
+            };
+          }
+          return entry;
+        })
+      : results.content;
     return {
       ...results,
-      content: results.content.map((c: any) => {
-        if (c.type === "text" && typeof c.text === "string") {
-          // Rewrite the text content to reflect filtered results
-          return {
-            ...c,
-            text: filtered.length > 0
-              ? `Found ${filtered.length} result(s).`
-              : "No results found.",
-          };
-        }
-        return c;
-      }),
-      details: { ...details, results: filtered },
+      content,
+      details: { ...(details as SearchDetails), results: filtered },
     };
   }
-  // If results is an array directly
   if (Array.isArray(details)) {
-    const filtered = details.filter((r: any) => {
-      const rawPath: string = r.path || r.filePath || "";
+    const filtered = details.filter((result) => {
+      const rawPath = result.path || result.filePath || "";
       const relPath = toRelativeMemoryPath(rawPath, workspaceDir);
       return isPathAllowedRelative(relPath, identity, workspaceDir);
     });
@@ -65,140 +83,135 @@ export function filterResultsByIdentity(
   return results;
 }
-/**
- * 检查相对路径是否允许访问（用于 memory_search 过滤和 memory_get 检查）
- */
 function isPathAllowedRelative(
   relPath: string,
   identity: SessionIdentity,
-  workspaceDir: string
+  workspaceDir: string,
 ): boolean {
-  // 元数据文件永远不返回（包括 owner）
-  if (relPath.endsWith("/_members.json") || relPath.endsWith("/_acl.json")) {
+  const normalizedPath = normalizeRelativePath(relPath);
+  if (normalizedPath.endsWith("/_members.json") || normalizedPath.endsWith("/_acl.json")) {
     return false;
   }
-  // owner 可以访问 memory/ 下的所有文件（元数据除外，已在上面拦截）
   if (identity.type === "owner") {
-    return relPath.startsWith("memory/");
+    return normalizedPath.startsWith("memory/");
   }
-  // 以下为非 owner（peer / group）的权限判定
-  // owner/ 目录 — 非 owner 一律拒绝
-  if (relPath.startsWith("memory/owner/")) {
+  if (normalizedPath.startsWith("memory/owner/")) {
     return false;
   }
-  // memory/ 根目录下的散落文件（如 memory/2026-03-19.md）— 非 owner 拒绝
-  // 合法文件应在 peers/groups/knowledge 子目录中
-  const thirdSegment = relPath.split("/")[1] || "";
-  if (thirdSegment && !["owner", "peers", "groups", "knowledge"].includes(thirdSegment)) {
+  const rootSection = normalizedPath.split("/")[1] || "";
+  if (rootSection && !["owner", "peers", "groups", "knowledge"].includes(rootSection)) {
     return false;
   }
-  // peers/ 目录
-  if (relPath.startsWith("memory/peers/")) {
-    if (identity.type === "peer") {
-      // OpenClaw 会把 sessionKey 转小写，但目录名保留原始大小写，需忽略大小写
-      const lowerPath = relPath.toLowerCase();
-      return lowerPath.startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`);
+  if (normalizedPath.startsWith("memory/peers/")) {
+    if (identity.type !== "peer") {
+      return false;
     }
-    return false; // group session 不能访问 peers/
+    return normalizedPath
+      .toLowerCase()
+      .startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`);
   }
-  // groups/ 目录
-  if (relPath.startsWith("memory/groups/")) {
-    const groupId = extractGroupIdFromPath(relPath);
+  if (normalizedPath.startsWith("memory/groups/")) {
+    const groupId = extractGroupIdFromPath(normalizedPath);
     if (identity.type === "group") {
       return groupId.toLowerCase() === identity.groupId.toLowerCase();
     }
     if (identity.type === "peer") {
-      // 私聊中访问群记忆：通过 API 获取成员资格，按时间线过滤
-      const fileDate = extractDateFromPath(relPath);
-      if (!fileDate) return false;
+      const fileDate = extractDateFromPath(normalizedPath);
+      if (!fileDate) {
+        return false;
+      }
       return isWithinMembershipPeriod(groupId, identity.peerId, fileDate);
     }
     return false;
   }
-  // knowledge/ 目录
-  if (relPath.startsWith("memory/knowledge/")) {
-    return isKnowledgeAccessAllowed(relPath, identity, workspaceDir);
+  if (normalizedPath.startsWith("memory/knowledge/")) {
+    return isKnowledgeAccessAllowed(normalizedPath, identity, workspaceDir);
   }
-  // 未知路径，默认拒绝
   return false;
 }
-/**
- * 检查路径是否允许访问（支持绝对路径和相对路径）
- */
 export function isPathAllowed(
   filePath: string,
   identity: SessionIdentity,
-  workspaceDir: string
+  workspaceDir: string,
 ): boolean {
   const relPath = toRelativeMemoryPath(filePath, workspaceDir);
   return isPathAllowedRelative(relPath, identity, workspaceDir);
 }
-/**
- * 检查知识库是否允许访问
- */
 function isKnowledgeAccessAllowed(
   relPath: string,
   identity: SessionIdentity,
-  workspaceDir: string
+  workspaceDir: string,
 ): boolean {
   const acl = loadKnowledgeACL(workspaceDir);
   const kbId = extractKnowledgeBaseId(relPath);
   const kbAcl = acl[kbId];
-  if (!kbAcl) return false;
-  if (kbAcl.rules.public) return true;
+  if (!kbAcl) {
+    return false;
+  }
+  if (kbAcl.rules.public) {
+    return true;
+  }
   switch (identity.type) {
-    case "owner": return true;
+    case "owner":
+      return true;
     case "peer": {
-      const lp = identity.peerId.toLowerCase();
+      const lowerPeerId = identity.peerId.toLowerCase();
       return (
-        kbAcl.rules.userids?.some((u: string) => u.toLowerCase() === lp) ||
-        kbAcl.rules.allowUsers?.some((u: string) => u.toLowerCase() === lp)
+        kbAcl.rules.userids?.some((userId) => userId.toLowerCase() === lowerPeerId) ||
+        kbAcl.rules.allowUsers?.some((userId) => userId.toLowerCase() === lowerPeerId)
       ) ?? false;
     }
-    case "group": return kbAcl.rules.allowGroups?.some((g: string) => g.toLowerCase() === identity.groupId.toLowerCase()) ?? false;
-    default: return false;
+    case "group":
+      return (
+        kbAcl.rules.allowGroups?.some(
+          (groupId) => groupId.toLowerCase() === identity.groupId.toLowerCase(),
+        ) ?? false
+      );
+    default:
+      return false;
   }
 }
-/**
- * 根据身份获取写入目标目录（相对路径）
- */
 export function getTargetDir(identity: SessionIdentity): string {
   switch (identity.type) {
-    case "owner": return "memory/owner/";
-    case "peer": return `memory/peers/${identity.peerId}/`;
-    case "group": return `memory/groups/${identity.groupId}/`;
+    case "owner":
+      return "memory/owner/";
+    case "peer":
+      return `memory/peers/${identity.peerId}/`;
+    case "group":
+      return `memory/groups/${identity.groupId}/`;
   }
 }
-/**
- * 检查写入路径是否已经在正确目录中（支持绝对路径和相对路径）
- */
 export function isWritePathCorrect(filePath: string, identity: SessionIdentity): boolean {
-  const lowerPath = filePath.toLowerCase();
+  const normalizedPath = filePath.toLowerCase().replace(/\\/g, "/");
   switch (identity.type) {
     case "owner":
-      return lowerPath.includes("/memory/owner/") || lowerPath.startsWith("memory/owner/");
+      return normalizedPath.includes("/memory/owner/") || normalizedPath.startsWith("memory/owner/");
     case "peer":
-      return lowerPath.includes(`/memory/peers/${identity.peerId.toLowerCase()}/`) ||
-             lowerPath.startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`);
+      return (
+        normalizedPath.includes(`/memory/peers/${identity.peerId.toLowerCase()}/`) ||
+        normalizedPath.startsWith(`memory/peers/${identity.peerId.toLowerCase()}/`)
+      );
     case "group":
-      return lowerPath.includes(`/memory/groups/${identity.groupId.toLowerCase()}/`) ||
-             lowerPath.startsWith(`memory/groups/${identity.groupId.toLowerCase()}/`);
+      return (
+        normalizedPath.includes(`/memory/groups/${identity.groupId.toLowerCase()}/`) ||
+        normalizedPath.startsWith(`memory/groups/${identity.groupId.toLowerCase()}/`)
+      );
   }
 }

package/identity.ts CHANGED Viewed

@@ -1,47 +1,87 @@
+import { normalizeAgentId, parseAgentSessionKey, parsePalzSessionTail } from "./route";
 export type SessionIdentity =
-  | { type: "owner"; userId: string }
-  | { type: "peer"; peerId: string }
-  | { type: "group"; groupId: string };
+  | { type: "owner"; agentId: string; userId: string; lobsterId?: string; releaseName?: string }
+  | { type: "peer"; agentId: string; peerId: string; lobsterId?: string; releaseName?: string }
+  | {
+      type: "group";
+      agentId: string;
+      groupId: string;
+      userId?: string;
+      lobsterId?: string;
+      releaseName?: string;
+    };
+export interface SessionIdentityParams {
+  sessionKey?: string;
+  agentId?: string;
+}
 /**
- * 从 sessionKey 解析会话身份
+ * Resolve identity for palz session keys.
  *
- * sessionKey 格式（最后一段用 : 分隔的是会话ID）：
- *   单聊: agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_release_{releaseName}
- *   群聊: agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_group_{groupID}_release_{releaseName}
+ * Session key examples:
+ * - direct:
+ *   agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_release_{releaseName}
+ * - group:
+ *   agent:{agentId}:palz:direct:{userId}:user_{userID}_lobster_{lobsterID}_group_{groupID}_release_{releaseName}
  */
-export function resolveSessionIdentity(sessionKey: string | undefined): SessionIdentity {
-  const sk = sessionKey ?? "";
-  // 取最后一段（会话ID）
-  const sessionPart = sk.split(":").pop() || "";
-  // 1. 群聊：包含 _group_
-  const groupMatch = sessionPart.match(/user_(.+?)_lobster_(.+?)_group_(.+?)_release_(.+)$/);
-  if (groupMatch) {
-    return { type: "group", groupId: groupMatch[3] };
+export function resolveSessionIdentity(params: SessionIdentityParams): SessionIdentity {
+  const parsedSession = parseAgentSessionKey(params.sessionKey);
+  const parsedTail = parsePalzSessionTail(params.sessionKey);
+  const agentId = normalizeAgentId(params.agentId) ?? parsedSession?.agentId ?? "main";
+  if (parsedTail.groupId) {
+    return {
+      type: "group",
+      agentId,
+      groupId: parsedTail.groupId,
+      userId: parsedTail.userId,
+      lobsterId: parsedTail.lobsterId,
+      releaseName: parsedTail.releaseName,
+    };
   }
-  // 2. 私聊
-  const peerMatch = sessionPart.match(/user_(.+?)_lobster_(.+?)_release_(.+)$/);
-  if (peerMatch) {
-    const userID = peerMatch[1];
-    if (isOwner(userID)) return { type: "owner", userId: userID };
-    return { type: "peer", peerId: userID };
+  if (parsedTail.userId) {
+    if (isOwner(parsedTail.userId)) {
+      return {
+        type: "owner",
+        agentId,
+        userId: parsedTail.userId,
+        lobsterId: parsedTail.lobsterId,
+        releaseName: parsedTail.releaseName,
+      };
+    }
+    return {
+      type: "peer",
+      agentId,
+      peerId: parsedTail.userId,
+      lobsterId: parsedTail.lobsterId,
+      releaseName: parsedTail.releaseName,
+    };
   }
-  // 3. 兜底：未知 session 按 peer 处理（安全优先）
-  return { type: "peer", peerId: "unknown" };
+  return { type: "peer", agentId, peerId: "unknown" };
 }
 /**
- * 判断 userId 是否是主人
- * 从环境变量 OPENCLAW_GATEWAY_TOKEN 获取并解析主人 ID
- * token 格式如 "oc-user-f76e8c98afb148539963c1b726f2afac"，用 "-" 切分取最后一段作为 owner ID
+ * Resolve whether a user id belongs to the owner.
+ *
+ * The current deployment stores the owner user id inside OPENCLAW_GATEWAY_TOKEN.
+ * Example token format:
+ *   oc-user-f76e8c98afb148539963c1b726f2afac
  */
 export function isOwner(userId: string): boolean {
   const token = process.env.OPENCLAW_GATEWAY_TOKEN || "";
-  if (!token) return false;
+  if (!token) {
+    return false;
+  }
   const ownerUserId = token.split("-").pop() || "";
-  if (!ownerUserId) return false;
+  if (!ownerUserId) {
+    return false;
+  }
   return ownerUserId === userId;
 }