neoagent 2.4.4-beta.0 → 2.4.4-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/README.md +5 -3
  2. package/docs/capabilities.md +16 -7
  3. package/docs/index.md +1 -0
  4. package/docs/security-boundaries.md +122 -0
  5. package/docs/supermemory-memory-review.md +852 -0
  6. package/flutter_app/lib/features/memory/views/retrieval_inspector_view.dart +128 -0
  7. package/flutter_app/lib/main.dart +3 -0
  8. package/flutter_app/lib/main_app_shell.dart +22 -0
  9. package/flutter_app/lib/main_controller.dart +36 -1
  10. package/flutter_app/lib/main_operations.dart +13 -0
  11. package/flutter_app/lib/main_security.dart +971 -0
  12. package/flutter_app/lib/main_settings.dart +61 -0
  13. package/flutter_app/lib/src/backend_client.dart +60 -3
  14. package/flutter_app/macos/Flutter/GeneratedPluginRegistrant.swift +2 -0
  15. package/flutter_app/pubspec.lock +32 -0
  16. package/flutter_app/pubspec.yaml +1 -0
  17. package/lib/schema_migrations.js +237 -0
  18. package/package.json +4 -2
  19. package/server/db/database.js +3 -0
  20. package/server/http/routes.js +2 -1
  21. package/server/public/.last_build_id +1 -1
  22. package/server/public/assets/NOTICES +86 -0
  23. package/server/public/assets/fonts/MaterialIcons-Regular.otf +0 -0
  24. package/server/public/flutter_bootstrap.js +1 -1
  25. package/server/public/main.dart.js +80911 -79117
  26. package/server/routes/memory.js +39 -2
  27. package/server/routes/security.js +112 -0
  28. package/server/services/ai/engine.js +267 -10
  29. package/server/services/ai/systemPrompt.js +13 -2
  30. package/server/services/cli/shell_worker.js +135 -0
  31. package/server/services/cli/shell_worker_pool.js +125 -0
  32. package/server/services/manager.js +20 -1
  33. package/server/services/memory/consolidation.js +111 -0
  34. package/server/services/memory/embedding_index.js +175 -0
  35. package/server/services/memory/embeddings.js +22 -2
  36. package/server/services/memory/evaluation.js +187 -0
  37. package/server/services/memory/ingestion_chunking.js +191 -0
  38. package/server/services/memory/ingestion_documents.js +96 -26
  39. package/server/services/memory/intelligence.js +3 -1
  40. package/server/services/memory/manager.js +855 -40
  41. package/server/services/memory/policy.js +0 -40
  42. package/server/services/memory/retrieval_reasoning.js +191 -0
  43. package/server/services/runtime/manager.js +7 -0
  44. package/server/services/security/approval_gate_service.js +93 -0
  45. package/server/services/security/tool_categories.js +105 -0
  46. package/server/services/security/tool_policy_service.js +92 -0
  47. package/server/services/security/tool_security_hook.js +77 -0
package/README.md CHANGED
@@ -77,12 +77,14 @@ please report failures with enough detail to reproduce them. Contributions to
77
77
  the backend, Flutter clients, integrations, skills, tests, and documentation
78
78
  are welcome.
79
79
 
80
- Read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request. Security
81
- issues should be reported privately according to [SECURITY.md](SECURITY.md).
80
+ Read [CONTRIBUTING.md](CONTRIBUTING.md) before opening a pull request. Review
81
+ the documented [security boundaries](docs/security-boundaries.md) before
82
+ installing on a machine with sensitive data. Security issues should be reported
83
+ privately according to [SECURITY.md](SECURITY.md).
82
84
 
83
85
  ## Documentation
84
86
 
85
- [Docs](https://neolabs-systems.github.io/NeoAgent/) | [Getting Started](docs/getting-started.md) | [Configuration](docs/configuration.md) | [Capabilities](docs/capabilities.md) | [Skills and MCP](docs/skills.md) | [Operations](docs/operations.md) | [Discussions](https://github.com/NeoLabs-Systems/NeoAgent/discussions) | [Issues](https://github.com/NeoLabs-Systems/NeoAgent/issues)
87
+ [Docs](https://neolabs-systems.github.io/NeoAgent/) | [Getting Started](docs/getting-started.md) | [Configuration](docs/configuration.md) | [Capabilities](docs/capabilities.md) | [Security Boundaries](docs/security-boundaries.md) | [Skills and MCP](docs/skills.md) | [Operations](docs/operations.md) | [Discussions](https://github.com/NeoLabs-Systems/NeoAgent/discussions) | [Issues](https://github.com/NeoLabs-Systems/NeoAgent/issues)
86
88
 
87
89
  ---
88
90
 
@@ -73,14 +73,23 @@ Transcription uses Deepgram (`nova-3` model, multi-language by default). Enable
73
73
 
74
74
  ## Runtime Modes
75
75
 
76
- | Profile | What runs where |
76
+ | Setting | What runs where |
77
77
  |---|---|
78
- | `trusted-host` | CLI and Android run on the host; browser runs in the VM or paired extension |
79
- | `secure-vm` | CLI, browser, and Android all run inside the isolated VM |
80
-
81
- Production deployments can require `secure-vm` and a strong `NEOAGENT_VM_GUEST_TOKEN` (32+ characters).
82
-
83
- The browser always runs in isolation — either the local VM or a paired Chrome extension on a remote machine. To pair an extension: download `/api/browser-extension/download` from NeoAgent, unzip it, enable Developer Mode in `chrome://extensions`, load the folder, then pair after signing in.
78
+ | Default | Browser and CLI run in a per-user isolated runtime; Android runs on the host over ADB |
79
+ | Paired browser extension | Browser actions run in the paired Chrome profile |
80
+ | Desktop CLI backend | Shell commands run on the paired desktop with the companion process's permissions |
81
+
82
+ The stored runtime profile is normalized to `secure-vm`, but that name does not
83
+ mean every NeoAgent capability runs in a VM. In particular, Android, workspace
84
+ file tools, memory, integrations, messaging, and MCP orchestration remain
85
+ server-side. See [Security Boundaries](security-boundaries.md) for the enforced
86
+ boundaries and current limitations.
87
+
88
+ The default browser runs in the isolated runtime. A paired Chrome extension is
89
+ an alternative backend, not an isolation boundary: it grants NeoAgent control
90
+ of that browser profile on the paired machine. To pair an extension: download
91
+ `/api/browser-extension/download` from NeoAgent, unzip it, enable Developer
92
+ Mode in `chrome://extensions`, load the folder, then pair after signing in.
84
93
 
85
94
  ## Integrations and Messaging
86
95
 
package/docs/index.md CHANGED
@@ -40,6 +40,7 @@ Opens at `http://localhost:3333` when complete. See [Getting Started](getting-st
40
40
  | [Getting Started](getting-started.md) | Install, first run, service commands |
41
41
  | [Capabilities](capabilities.md) | Full tool and feature inventory |
42
42
  | [Configuration](configuration.md) | Environment variables, provider keys, OAuth setup |
43
+ | [Security Boundaries](security-boundaries.md) | Enforced isolation, prompt-injection limits, deployment guidance |
43
44
  | [Automation](automation.md) | Tasks, cron scheduling, integration triggers |
44
45
  | [Integrations](integrations.md) | OAuth accounts and messaging platforms |
45
46
  | [Skills](skills.md) | Built-in skills catalog, custom skills, MCP |
@@ -0,0 +1,122 @@
1
+ # Security Boundaries
2
+
3
+ NeoAgent processes untrusted content from web pages, email, messaging
4
+ platforms, integrations, MCP servers, files, and other external systems. That
5
+ content may attempt prompt injection.
6
+
7
+ Prompt instructions, warning text added to tool results, and injection
8
+ detection heuristics are defense-in-depth signals for the model. They are not
9
+ authorization boundaries. The boundaries below are enforced in server-side
10
+ code and cannot be bypassed by any model-generated content.
11
+
12
+ ## What Is Enforced
13
+
14
+ ### Infrastructure isolation
15
+
16
+ | Capability | Enforced boundary |
17
+ |---|---|
18
+ | Browser, default backend | Runs in a per-user Docker container with resource limits (`no-new-privileges`, no host filesystem mount). |
19
+ | Browser, paired extension | Commands are sent to the explicitly paired Chrome extension. Controls that browser profile; outside the container boundary. |
20
+ | Shell, VM backend | `execute_command` runs in the same per-user container as the default browser backend. |
21
+ | Shell, desktop companion | Commands route through `ShellWorkerPool` — a `child_process.fork()` pool of isolated worker processes (`server/services/cli/shell_worker.js`). Workers carry **no server imports**: no database handle, no JWT secret, no app state. A compromised command result cannot read main-process memory. |
22
+ | Workspace file tools | `read_file`, `write_file`, `edit_file`, directory listing, and file search are restricted by server-side path checks to the user's workspace directory. |
23
+ | Android | `android_shell` and related tools run from the NeoAgent host via ADB against the selected device or emulator. |
24
+ | Official integrations | OAuth credentials remain server-side. Accounts configured as read-only have write tools blocked by server-side access checks. |
25
+ | Runtime API | The container endpoint is published on loopback. A guest token authenticates requests between the server and the runtime. |
26
+
27
+ ### Tool policy system
28
+
29
+ The `before_tool_call` hook fires before every tool execution in both the
30
+ sequential and parallel engine paths. Two handlers are registered at startup
31
+ and cannot be removed by agent code:
32
+
33
+ **Priority 5 — per-category policy check** (`server/services/security/tool_security_hook.js`)
34
+
35
+ Every tool is mapped to one of seven sensitive categories:
36
+
37
+ | Category | Tools |
38
+ |---|---|
39
+ | `shell` | `execute_command` |
40
+ | `file_write` | `write_file`, `edit_file` |
41
+ | `android_privileged` | `android_shell`, `android_install_apk`, `android_open_intent`, `android_open_app` |
42
+ | `desktop_control` | `desktop_click`, `desktop_type`, `desktop_press_key`, `desktop_drag`, `desktop_launch_app`, `desktop_observe` |
43
+ | `browser_privileged` | `browser_evaluate` |
44
+ | `network_write` | `http_request` (POST/PUT/PATCH/DELETE only) |
45
+ | `skill_mutation` | `create_skill`, `update_skill`, `delete_skill`, `create_ai_widget`, `update_ai_widget`, `delete_ai_widget` |
46
+
47
+ Read-only tools (`think`, `web_search`, `browser_navigate`, `read_file`, etc.)
48
+ are in a static `SAFE_TOOLS` set and bypass all policy checks with a single
49
+ `Set.has()` call.
50
+
51
+ Per-category policy (stored in `tool_policies` table, one row per user per
52
+ category):
53
+
54
+ | Policy | Effect |
55
+ |---|---|
56
+ | `deny` | Tool call is blocked immediately. The model receives a structured error and can explain the restriction to the user. |
57
+ | `require_approval` | Execution suspends; the user receives a real-time prompt (bottom sheet + optional push notification). Decision options: Deny / Allow once / Allow session / Always allow. |
58
+ | `allow` | Tool runs without interruption. Grants expire at session end. |
59
+ | `allow_always` | Tool runs without interruption. Persisted to DB; never expires. |
60
+
61
+ Default policy for all categories is `require_approval`, except `skill_mutation` which defaults to `deny`.
62
+
63
+ **Priority 10 — approval gate** (`server/services/security/approval_gate_service.js`)
64
+
65
+ When a category policy is `require_approval`, execution is suspended and a
66
+ `tool:approval_required` event is emitted to the user's Socket.IO room. The
67
+ agent loop awaits the decision with a 30-second timeout. If no decision is
68
+ received, the tool is denied and the model is informed of the timeout.
69
+
70
+ ### Global security mode
71
+
72
+ Users can override all per-category settings with a global mode (stored in
73
+ `user_settings` under key `tool_security_mode`):
74
+
75
+ | Mode | Behaviour |
76
+ |---|---|
77
+ | `default` | Per-category policies apply (recommended). |
78
+ | `allow_all` | All tool policy and approval checks are bypassed. The agent runs without interruption. |
79
+ | `always_ask` | Every sensitive tool requires approval regardless of per-category settings. |
80
+
81
+ ### Agent-loop feedback
82
+
83
+ When a tool is blocked, the model receives a structured result:
84
+
85
+ ```json
86
+ { "tool": "execute_command", "status": "blocked", "blocked_by": "policy|user_denied|approval_timeout", "reason": "..." }
87
+ ```
88
+
89
+ The `reason` field contains an actionable message the model can surface to the
90
+ user (e.g., pointing to Settings → Tool Permissions, or acknowledging that the
91
+ user denied the call and it should not retry).
92
+
93
+ ## What Is Not Enforced
94
+
95
+ - **No per-tool allowlist at the schema/selection level.** A tool blocked by
96
+ policy is still listed in the tool catalog. The block fires at execution
97
+ time, not at selection time.
98
+ - **No mandatory approval for safe tools.** Tools in `SAFE_TOOLS` always
99
+ execute without a policy check.
100
+ - **No network egress filtering.** The `http_request` tool (non-write methods)
101
+ can reach any URL reachable from the server.
102
+ - **Prompt-injection detection is heuristic.** The detection layer may warn the
103
+ model but cannot prevent every injection attempt.
104
+
105
+ ## Deployment Guidance
106
+
107
+ - Run NeoAgent under a dedicated, unprivileged OS account.
108
+ - Prefer the container-backed browser and CLI defaults (VM backend).
109
+ - Do not select the desktop shell backend on a machine containing data the
110
+ agent should not access.
111
+ - Use `require_approval` or `deny` for `shell` and `android_privileged` on
112
+ machines where you run personal or work data alongside NeoAgent.
113
+ - Treat a paired browser extension as giving the agent control of that browser
114
+ profile. Use a dedicated profile.
115
+ - Treat an ADB-connected Android device as accessible to the agent, including
116
+ capabilities exposed by `adb shell`.
117
+ - Keep integration accounts read-only unless write access is required.
118
+ - The `allow_all` global mode is suitable only for trusted automated
119
+ environments where the operator controls all input. Do not use it for
120
+ open-ended agentic sessions that browse the web or read email.
121
+
122
+ For vulnerability reporting, see [Security Policy](https://github.com/NeoLabs-Systems/NeoAgent/blob/main/SECURITY.md).