neoagent 2.4.3 → 2.4.4-beta.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -3
- package/docs/capabilities.md +16 -7
- package/docs/index.md +1 -0
- package/docs/security-boundaries.md +122 -0
- package/docs/supermemory-memory-review.md +852 -0
- package/flutter_app/lib/features/memory/views/retrieval_inspector_view.dart +128 -0
- package/flutter_app/lib/main.dart +3 -0
- package/flutter_app/lib/main_app_shell.dart +22 -0
- package/flutter_app/lib/main_controller.dart +36 -1
- package/flutter_app/lib/main_operations.dart +13 -0
- package/flutter_app/lib/main_security.dart +971 -0
- package/flutter_app/lib/main_settings.dart +61 -0
- package/flutter_app/lib/src/backend_client.dart +60 -3
- package/flutter_app/macos/Flutter/GeneratedPluginRegistrant.swift +2 -0
- package/flutter_app/pubspec.lock +32 -0
- package/flutter_app/pubspec.yaml +1 -0
- package/lib/schema_migrations.js +237 -0
- package/package.json +4 -2
- package/server/db/database.js +3 -0
- package/server/http/routes.js +2 -1
- package/server/public/.last_build_id +1 -1
- package/server/public/assets/NOTICES +86 -0
- package/server/public/assets/fonts/MaterialIcons-Regular.otf +0 -0
- package/server/public/flutter_bootstrap.js +1 -1
- package/server/public/main.dart.js +80911 -79117
- package/server/routes/memory.js +39 -2
- package/server/routes/security.js +112 -0
- package/server/services/ai/engine.js +267 -10
- package/server/services/ai/systemPrompt.js +13 -2
- package/server/services/cli/shell_worker.js +135 -0
- package/server/services/cli/shell_worker_pool.js +125 -0
- package/server/services/manager.js +20 -1
- package/server/services/memory/consolidation.js +111 -0
- package/server/services/memory/embedding_index.js +175 -0
- package/server/services/memory/embeddings.js +22 -2
- package/server/services/memory/evaluation.js +187 -0
- package/server/services/memory/ingestion_chunking.js +191 -0
- package/server/services/memory/ingestion_documents.js +96 -26
- package/server/services/memory/intelligence.js +3 -1
- package/server/services/memory/manager.js +855 -40
- package/server/services/memory/policy.js +0 -40
- package/server/services/memory/retrieval_reasoning.js +191 -0
- package/server/services/runtime/manager.js +7 -0
- package/server/services/security/approval_gate_service.js +93 -0
- package/server/services/security/tool_categories.js +105 -0
- package/server/services/security/tool_policy_service.js +92 -0
- package/server/services/security/tool_security_hook.js +77 -0
package/README.md
CHANGED
|
@@ -77,12 +77,14 @@ please report failures with enough detail to reproduce them. Contributions to
|
|
|
77
77
|
the backend, Flutter clients, integrations, skills, tests, and documentation
|
|
78
78
|
are welcome.
|
|
79
79
|
|
|
80
|
-
Read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request.
|
|
81
|
-
|
|
80
|
+
Read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request. Review
|
|
81
|
+
the documented [security boundaries](docs/security-boundaries.md) before
|
|
82
|
+
installing on a machine with sensitive data. Security issues should be reported
|
|
83
|
+
privately according to [SECURITY.md](SECURITY.md).
|
|
82
84
|
|
|
83
85
|
## Documentation
|
|
84
86
|
|
|
85
|
-
[Docs](https://neolabs-systems.github.io/NeoAgent/) | [Getting Started](docs/getting-started.md) | [Configuration](docs/configuration.md) | [Capabilities](docs/capabilities.md) | [Skills and MCP](docs/skills.md) | [Operations](docs/operations.md) | [Discussions](https://github.com/NeoLabs-Systems/NeoAgent/discussions) | [Issues](https://github.com/NeoLabs-Systems/NeoAgent/issues)
|
|
87
|
+
[Docs](https://neolabs-systems.github.io/NeoAgent/) | [Getting Started](docs/getting-started.md) | [Configuration](docs/configuration.md) | [Capabilities](docs/capabilities.md) | [Security Boundaries](docs/security-boundaries.md) | [Skills and MCP](docs/skills.md) | [Operations](docs/operations.md) | [Discussions](https://github.com/NeoLabs-Systems/NeoAgent/discussions) | [Issues](https://github.com/NeoLabs-Systems/NeoAgent/issues)
|
|
86
88
|
|
|
87
89
|
---
|
|
88
90
|
|
package/docs/capabilities.md
CHANGED
|
@@ -73,14 +73,23 @@ Transcription uses Deepgram (`nova-3` model, multi-language by default). Enable
|
|
|
73
73
|
|
|
74
74
|
## Runtime Modes
|
|
75
75
|
|
|
76
|
-
|
|
|
76
|
+
| Setting | What runs where |
|
|
77
77
|
|---|---|
|
|
78
|
-
|
|
|
79
|
-
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
78
|
+
| Default | Browser and CLI run in a per-user isolated runtime; Android runs on the host over ADB |
|
|
79
|
+
| Paired browser extension | Browser actions run in the paired Chrome profile |
|
|
80
|
+
| Desktop CLI backend | Shell commands run on the paired desktop with the companion process's permissions |
|
|
81
|
+
|
|
82
|
+
The stored runtime profile is normalized to `secure-vm`, but that name does not
|
|
83
|
+
mean every NeoAgent capability runs in a VM. In particular, Android, workspace
|
|
84
|
+
file tools, memory, integrations, messaging, and MCP orchestration remain
|
|
85
|
+
server-side. See [Security Boundaries](security-boundaries.md) for the enforced
|
|
86
|
+
boundaries and current limitations.
|
|
87
|
+
|
|
88
|
+
The default browser runs in the isolated runtime. A paired Chrome extension is
|
|
89
|
+
an alternative backend, not an isolation boundary: it grants NeoAgent control
|
|
90
|
+
of that browser profile on the paired machine. To pair an extension: download
|
|
91
|
+
`/api/browser-extension/download` from NeoAgent, unzip it, enable Developer
|
|
92
|
+
Mode in `chrome://extensions`, load the folder, then pair after signing in.
|
|
84
93
|
|
|
85
94
|
## Integrations and Messaging
|
|
86
95
|
|
package/docs/index.md
CHANGED
|
@@ -40,6 +40,7 @@ Opens at `http://localhost:3333` when complete. See [Getting Started](getting-st
|
|
|
40
40
|
| [Getting Started](getting-started.md) | Install, first run, service commands |
|
|
41
41
|
| [Capabilities](capabilities.md) | Full tool and feature inventory |
|
|
42
42
|
| [Configuration](configuration.md) | Environment variables, provider keys, OAuth setup |
|
|
43
|
+
| [Security Boundaries](security-boundaries.md) | Enforced isolation, prompt-injection limits, deployment guidance |
|
|
43
44
|
| [Automation](automation.md) | Tasks, cron scheduling, integration triggers |
|
|
44
45
|
| [Integrations](integrations.md) | OAuth accounts and messaging platforms |
|
|
45
46
|
| [Skills](skills.md) | Built-in skills catalog, custom skills, MCP |
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
# Security Boundaries
|
|
2
|
+
|
|
3
|
+
NeoAgent processes untrusted content from web pages, email, messaging
|
|
4
|
+
platforms, integrations, MCP servers, files, and other external systems. That
|
|
5
|
+
content may attempt prompt injection.
|
|
6
|
+
|
|
7
|
+
Prompt instructions, warning text added to tool results, and injection
|
|
8
|
+
detection heuristics are defense-in-depth signals for the model. They are not
|
|
9
|
+
authorization boundaries. The boundaries below are enforced in server-side
|
|
10
|
+
code and cannot be bypassed by any model-generated content.
|
|
11
|
+
|
|
12
|
+
## What Is Enforced
|
|
13
|
+
|
|
14
|
+
### Infrastructure isolation
|
|
15
|
+
|
|
16
|
+
| Capability | Enforced boundary |
|
|
17
|
+
|---|---|
|
|
18
|
+
| Browser, default backend | Runs in a per-user Docker container with resource limits (`no-new-privileges`, no host filesystem mount). |
|
|
19
|
+
| Browser, paired extension | Commands are sent to the explicitly paired Chrome extension. Controls that browser profile; outside the container boundary. |
|
|
20
|
+
| Shell, VM backend | `execute_command` runs in the same per-user container as the default browser backend. |
|
|
21
|
+
| Shell, desktop companion | Commands route through `ShellWorkerPool` — a `child_process.fork()` pool of isolated worker processes (`server/services/cli/shell_worker.js`). Workers carry **no server imports**: no database handle, no JWT secret, no app state. A compromised command result cannot read main-process memory. |
|
|
22
|
+
| Workspace file tools | `read_file`, `write_file`, `edit_file`, directory listing, and file search are restricted by server-side path checks to the user's workspace directory. |
|
|
23
|
+
| Android | `android_shell` and related tools run from the NeoAgent host via ADB against the selected device or emulator. |
|
|
24
|
+
| Official integrations | OAuth credentials remain server-side. Accounts configured as read-only have write tools blocked by server-side access checks. |
|
|
25
|
+
| Runtime API | The container endpoint is published on loopback. A guest token authenticates requests between the server and the runtime. |
|
|
26
|
+
|
|
27
|
+
### Tool policy system
|
|
28
|
+
|
|
29
|
+
The `before_tool_call` hook fires before every tool execution in both the
|
|
30
|
+
sequential and parallel engine paths. Two handlers are registered at startup
|
|
31
|
+
and cannot be removed by agent code:
|
|
32
|
+
|
|
33
|
+
**Priority 5 — per-category policy check** (`server/services/security/tool_security_hook.js`)
|
|
34
|
+
|
|
35
|
+
Every tool is mapped to one of seven sensitive categories:
|
|
36
|
+
|
|
37
|
+
| Category | Tools |
|
|
38
|
+
|---|---|
|
|
39
|
+
| `shell` | `execute_command` |
|
|
40
|
+
| `file_write` | `write_file`, `edit_file` |
|
|
41
|
+
| `android_privileged` | `android_shell`, `android_install_apk`, `android_open_intent`, `android_open_app` |
|
|
42
|
+
| `desktop_control` | `desktop_click`, `desktop_type`, `desktop_press_key`, `desktop_drag`, `desktop_launch_app`, `desktop_observe` |
|
|
43
|
+
| `browser_privileged` | `browser_evaluate` |
|
|
44
|
+
| `network_write` | `http_request` (POST/PUT/PATCH/DELETE only) |
|
|
45
|
+
| `skill_mutation` | `create_skill`, `update_skill`, `delete_skill`, `create_ai_widget`, `update_ai_widget`, `delete_ai_widget` |
|
|
46
|
+
|
|
47
|
+
Read-only tools (`think`, `web_search`, `browser_navigate`, `read_file`, etc.)
|
|
48
|
+
are in a static `SAFE_TOOLS` set and bypass all policy checks with a single
|
|
49
|
+
`Set.has()` call.
|
|
50
|
+
|
|
51
|
+
Per-category policy (stored in `tool_policies` table, one row per user per
|
|
52
|
+
category):
|
|
53
|
+
|
|
54
|
+
| Policy | Effect |
|
|
55
|
+
|---|---|
|
|
56
|
+
| `deny` | Tool call is blocked immediately. The model receives a structured error and can explain the restriction to the user. |
|
|
57
|
+
| `require_approval` | Execution suspends; the user receives a real-time prompt (bottom sheet + optional push notification). Decision options: Deny / Allow once / Allow session / Always allow. |
|
|
58
|
+
| `allow` | Tool runs without interruption. Grants expire at session end. |
|
|
59
|
+
| `allow_always` | Tool runs without interruption. Persisted to DB; never expires. |
|
|
60
|
+
|
|
61
|
+
Default policy for all categories is `require_approval`, except `skill_mutation` which defaults to `deny`.
|
|
62
|
+
|
|
63
|
+
**Priority 10 — approval gate** (`server/services/security/approval_gate_service.js`)
|
|
64
|
+
|
|
65
|
+
When a category policy is `require_approval`, execution is suspended and a
|
|
66
|
+
`tool:approval_required` event is emitted to the user's Socket.IO room. The
|
|
67
|
+
agent loop awaits the decision with a 30-second timeout. If no decision is
|
|
68
|
+
received, the tool is denied and the model is informed of the timeout.
|
|
69
|
+
|
|
70
|
+
### Global security mode
|
|
71
|
+
|
|
72
|
+
Users can override all per-category settings with a global mode (stored in
|
|
73
|
+
`user_settings` under key `tool_security_mode`):
|
|
74
|
+
|
|
75
|
+
| Mode | Behaviour |
|
|
76
|
+
|---|---|
|
|
77
|
+
| `default` | Per-category policies apply (recommended). |
|
|
78
|
+
| `allow_all` | All tool policy and approval checks are bypassed. The agent runs without interruption. |
|
|
79
|
+
| `always_ask` | Every sensitive tool requires approval regardless of per-category settings. |
|
|
80
|
+
|
|
81
|
+
### Agent-loop feedback
|
|
82
|
+
|
|
83
|
+
When a tool is blocked, the model receives a structured result:
|
|
84
|
+
|
|
85
|
+
```json
|
|
86
|
+
{ "tool": "execute_command", "status": "blocked", "blocked_by": "policy|user_denied|approval_timeout", "reason": "..." }
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
The `reason` field contains an actionable message the model can surface to the
|
|
90
|
+
user (e.g., pointing to Settings → Tool Permissions, or acknowledging that the
|
|
91
|
+
user denied the call and it should not retry).
|
|
92
|
+
|
|
93
|
+
## What Is Not Enforced
|
|
94
|
+
|
|
95
|
+
- **No per-tool allowlist at the schema/selection level.** A tool blocked by
|
|
96
|
+
policy is still listed in the tool catalog. The block fires at execution
|
|
97
|
+
time, not at selection time.
|
|
98
|
+
- **No mandatory approval for safe tools.** Tools in `SAFE_TOOLS` always
|
|
99
|
+
execute without a policy check.
|
|
100
|
+
- **No network egress filtering.** The `http_request` tool (non-write methods)
|
|
101
|
+
can reach any URL reachable from the server.
|
|
102
|
+
- **Prompt-injection detection is heuristic.** The detection layer may warn the
|
|
103
|
+
model but cannot prevent every injection attempt.
|
|
104
|
+
|
|
105
|
+
## Deployment Guidance
|
|
106
|
+
|
|
107
|
+
- Run NeoAgent under a dedicated, unprivileged OS account.
|
|
108
|
+
- Prefer the container-backed browser and CLI defaults (VM backend).
|
|
109
|
+
- Do not select the desktop shell backend on a machine containing data the
|
|
110
|
+
agent should not access.
|
|
111
|
+
- Use `require_approval` or `deny` for `shell` and `android_privileged` on
|
|
112
|
+
machines where you run personal or work data alongside NeoAgent.
|
|
113
|
+
- Treat a paired browser extension as giving the agent control of that browser
|
|
114
|
+
profile. Use a dedicated profile.
|
|
115
|
+
- Treat an ADB-connected Android device as accessible to the agent, including
|
|
116
|
+
capabilities exposed by `adb shell`.
|
|
117
|
+
- Keep integration accounts read-only unless write access is required.
|
|
118
|
+
- The `allow_all` global mode is suitable only for trusted automated
|
|
119
|
+
environments where the operator controls all input. Do not use it for
|
|
120
|
+
open-ended agentic sessions that browse the web or read email.
|
|
121
|
+
|
|
122
|
+
For vulnerability reporting, see [Security Policy](https://github.com/NeoLabs-Systems/NeoAgent/blob/main/SECURITY.md).
|