neoagent 2.4.4-beta.9 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -57
- package/docs/agent-run-lifecycle.md +65 -0
- package/docs/agents-and-users.md +48 -0
- package/docs/architecture.md +59 -0
- package/docs/automation-architecture.md +50 -0
- package/docs/automation.md +54 -70
- package/docs/capabilities.md +16 -118
- package/docs/clients-and-devices.md +43 -0
- package/docs/configuration.md +104 -117
- package/docs/development.md +82 -0
- package/docs/devices.md +62 -0
- package/docs/getting-started.md +47 -57
- package/docs/index.md +41 -30
- package/docs/integrations-architecture.md +48 -0
- package/docs/integrations.md +56 -51
- package/docs/memory-architecture.md +90 -0
- package/docs/memory.md +78 -0
- package/docs/migration.md +12 -5
- package/docs/models.md +64 -0
- package/docs/operations.md +46 -30
- package/docs/persistence.md +49 -0
- package/docs/recordings-and-health.md +41 -0
- package/docs/runtime-and-tools.md +52 -0
- package/docs/security-boundaries.md +65 -111
- package/docs/skills.md +32 -45
- package/docs/why-neoagent.md +47 -16
- package/flutter_app/android/app/build.gradle.kts +2 -0
- package/landing/index.html +0 -4
- package/lib/install_helpers.js +1 -0
- package/lib/manager.js +12 -2
- package/package.json +2 -2
- package/server/public/.last_build_id +1 -1
- package/server/public/flutter_bootstrap.js +1 -1
- package/server/public/main.dart.js +4 -4
- package/docs/supermemory-memory-review.md +0 -852
package/docs/models.md
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Models and providers
|
|
2
|
+
|
|
3
|
+
NeoAgent supports local models, API-key providers, and several account-backed
|
|
4
|
+
providers. Provider credentials stay on the server.
|
|
5
|
+
|
|
6
|
+
## Configure a model
|
|
7
|
+
|
|
8
|
+
Open **Settings > AI Providers** to add credentials and choose models. You can
|
|
9
|
+
also run `neoagent setup` to configure common values from the terminal.
|
|
10
|
+
|
|
11
|
+
### Local models
|
|
12
|
+
|
|
13
|
+
[Ollama](https://ollama.com/) does not require a hosted-model API key. Set its
|
|
14
|
+
server URL with `OLLAMA_URL`, then select an available Ollama model in NeoAgent.
|
|
15
|
+
The Ollama process may run on the NeoAgent host or another reachable machine.
|
|
16
|
+
|
|
17
|
+
### API-key providers
|
|
18
|
+
|
|
19
|
+
NeoAgent includes providers for Anthropic, OpenAI, Google Gemini, xAI, MiniMax,
|
|
20
|
+
NVIDIA NIM, OpenRouter, and OpenAI-compatible endpoints. Available models are
|
|
21
|
+
loaded through the configured provider rather than maintained as a fixed list
|
|
22
|
+
in the documentation.
|
|
23
|
+
|
|
24
|
+
### Account-backed providers
|
|
25
|
+
|
|
26
|
+
The CLI can authenticate supported developer subscriptions:
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
neoagent login github-copilot
|
|
30
|
+
neoagent login openai-codex
|
|
31
|
+
neoagent login claude-code
|
|
32
|
+
neoagent login grok-oauth
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
These login flows are separate from ordinary API-key providers.
|
|
36
|
+
|
|
37
|
+
## Model assignment
|
|
38
|
+
|
|
39
|
+
The default model is selected in settings. Individual agents and scheduled
|
|
40
|
+
tasks can override it. A model used for tools must support the tool-calling
|
|
41
|
+
contract expected by its NeoAgent provider.
|
|
42
|
+
|
|
43
|
+
Some features use separate providers:
|
|
44
|
+
|
|
45
|
+
- Embeddings for memory search use a configured supported embedding provider
|
|
46
|
+
and fall back to lexical retrieval when embeddings are unavailable.
|
|
47
|
+
- Recording transcription uses Deepgram when enabled.
|
|
48
|
+
- Image generation and analysis depend on the selected provider and model.
|
|
49
|
+
|
|
50
|
+
## Credential handling
|
|
51
|
+
|
|
52
|
+
API keys and account tokens are stored under the NeoAgent runtime directory on
|
|
53
|
+
the server. Do not put credentials in task prompts, skills, screenshots, issue
|
|
54
|
+
reports, or chat messages.
|
|
55
|
+
|
|
56
|
+
Use the environment CLI when terminal administration is more appropriate:
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
neoagent env list
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
`env list` masks secrets. The `env get`, `env set`, and `env unset` commands
|
|
63
|
+
accept a variable name; `env get` prints the selected value, so avoid running it
|
|
64
|
+
in recorded terminals or shared shells.
|
package/docs/operations.md
CHANGED
|
@@ -1,28 +1,33 @@
|
|
|
1
|
-
# Operations
|
|
1
|
+
# Operations and troubleshooting
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Run service commands on the machine hosting NeoAgent.
|
|
4
|
+
|
|
5
|
+
## Service commands
|
|
4
6
|
|
|
5
7
|
```bash
|
|
6
|
-
neoagent status
|
|
7
|
-
neoagent
|
|
8
|
+
neoagent status
|
|
9
|
+
neoagent start
|
|
10
|
+
neoagent stop
|
|
8
11
|
neoagent restart
|
|
12
|
+
neoagent logs
|
|
9
13
|
```
|
|
10
14
|
|
|
11
|
-
|
|
15
|
+
`status` is the first check for install, service, configuration, and health
|
|
16
|
+
problems. `logs` tails the server logs. Logs from a laptop or client do not
|
|
17
|
+
describe a NeoAgent instance running on another server.
|
|
12
18
|
|
|
13
|
-
|
|
14
|
-
neoagent channel # show current channel
|
|
15
|
-
neoagent channel stable # switch to stable releases (recommended for most installs)
|
|
16
|
-
neoagent channel beta # switch to prerelease builds
|
|
17
|
-
```
|
|
18
|
-
|
|
19
|
-
## Updates
|
|
19
|
+
## Release channels and updates
|
|
20
20
|
|
|
21
21
|
```bash
|
|
22
|
+
neoagent channel
|
|
23
|
+
neoagent channel stable
|
|
24
|
+
neoagent channel beta
|
|
22
25
|
neoagent update
|
|
23
26
|
```
|
|
24
27
|
|
|
25
|
-
|
|
28
|
+
Stable is intended for normal installations. Beta receives prerelease builds.
|
|
29
|
+
`update` follows the selected channel, updates the package or Git checkout,
|
|
30
|
+
verifies the bundled client, and restarts the service.
|
|
26
31
|
|
|
27
32
|
## Recovery
|
|
28
33
|
|
|
@@ -30,32 +35,43 @@ Follows the configured release channel. On git installs, pulls the latest source
|
|
|
30
35
|
neoagent fix
|
|
31
36
|
```
|
|
32
37
|
|
|
33
|
-
Use
|
|
38
|
+
Use `fix` for a damaged installation or failed source update. It preserves
|
|
39
|
+
runtime data, repairs application source and dependencies, and restarts the
|
|
40
|
+
service. It is not a substitute for a backup.
|
|
34
41
|
|
|
35
|
-
For configuration
|
|
42
|
+
For configuration problems:
|
|
36
43
|
|
|
37
44
|
```bash
|
|
38
45
|
neoagent setup
|
|
39
46
|
neoagent restart
|
|
40
47
|
```
|
|
41
48
|
|
|
42
|
-
##
|
|
49
|
+
## Backups
|
|
43
50
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
| Service won't start | `neoagent logs` — look for startup errors |
|
|
47
|
-
| UI loads but agent doesn't respond | Confirm an AI provider key is set in **Settings → AI Providers** |
|
|
48
|
-
| OAuth integration fails | Confirm `PUBLIC_URL` is reachable and the redirect URI matches |
|
|
49
|
-
| Messaging not delivering | Check credentials in the messaging tab; confirm `PUBLIC_URL` for webhook-based platforms |
|
|
50
|
-
| Tasks not running | Confirm the task is enabled; check **Runs** and **Logs** for error output |
|
|
51
|
-
| Broken after update | `neoagent fix` — resets source, reinstalls, restarts |
|
|
52
|
-
|
|
53
|
-
## Runtime Data
|
|
51
|
+
Stop the service or take an application-consistent filesystem snapshot, then
|
|
52
|
+
back up:
|
|
54
53
|
|
|
55
54
|
| Path | Contents |
|
|
56
55
|
|---|---|
|
|
57
|
-
| `~/.neoagent/.env` | Server
|
|
58
|
-
| `~/.neoagent/data/` |
|
|
59
|
-
| `~/.neoagent/agent-data/` | Skills, memory, daily data |
|
|
56
|
+
| `~/.neoagent/.env` | Server configuration and secrets |
|
|
57
|
+
| `~/.neoagent/data/` | SQLite database, sessions, logs, update state |
|
|
58
|
+
| `~/.neoagent/agent-data/` | Skills, memory files, daily data |
|
|
59
|
+
|
|
60
|
+
If `NEOAGENT_HOME` is set, these paths live under that directory instead.
|
|
61
|
+
Protect backups as credentials and personal data.
|
|
60
62
|
|
|
61
|
-
|
|
63
|
+
## Common failures
|
|
64
|
+
|
|
65
|
+
| Symptom | Check |
|
|
66
|
+
|---|---|
|
|
67
|
+
| Service does not start | `neoagent status`, then `neoagent logs` |
|
|
68
|
+
| Chat has no response | Provider connection, selected model, provider quota |
|
|
69
|
+
| Browser or shell unavailable | QEMU installation and first runtime boot |
|
|
70
|
+
| OAuth fails | Reachable HTTPS `PUBLIC_URL` and exact callback URI |
|
|
71
|
+
| Messaging receives nothing | Channel credentials, webhook, and allowlists |
|
|
72
|
+
| Task does not run | Enabled state, trigger account, next run, **Runs** |
|
|
73
|
+
| Android action fails | ADB visibility, selected device, tool approval |
|
|
74
|
+
| Paired device unavailable | Companion or extension connection on that machine |
|
|
75
|
+
|
|
76
|
+
When reporting a bug, include the NeoAgent version, server OS, installation
|
|
77
|
+
type, runtime profile, exact reproduction steps, and sanitized server logs.
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# Persistence and migrations
|
|
2
|
+
|
|
3
|
+
NeoAgent uses a single SQLite database opened through
|
|
4
|
+
`server/db/database.js`. Services share that instance and use synchronous
|
|
5
|
+
`better-sqlite3` statements and transactions.
|
|
6
|
+
|
|
7
|
+
## Stored state
|
|
8
|
+
|
|
9
|
+
The database owns:
|
|
10
|
+
|
|
11
|
+
- Users, sessions, agents, and settings
|
|
12
|
+
- Conversations, messages, runs, steps, events, and model usage
|
|
13
|
+
- Tasks, triggers, webhook deliveries, and widgets
|
|
14
|
+
- Integration connections and encrypted credentials
|
|
15
|
+
- Memory, facts, entities, source documents, and retrieval telemetry
|
|
16
|
+
- Recordings, transcripts, health records, and device registrations
|
|
17
|
+
- Tool policies and approval history
|
|
18
|
+
|
|
19
|
+
Larger artifacts and editable agent data use runtime directories under
|
|
20
|
+
`NEOAGENT_HOME`.
|
|
21
|
+
|
|
22
|
+
## Schema changes
|
|
23
|
+
|
|
24
|
+
Base schema creation lives in the database module. Incremental migrations live
|
|
25
|
+
in `lib/migrations.js` and `lib/schema_migrations.js`. A migration must be
|
|
26
|
+
idempotent and preserve existing user data.
|
|
27
|
+
|
|
28
|
+
Do not create tables or run `ALTER TABLE` from feature services. Do not open a
|
|
29
|
+
second SQLite database instance.
|
|
30
|
+
|
|
31
|
+
FTS5 and JSON1 use graceful fallbacks where the host SQLite build may not
|
|
32
|
+
provide an extension. New behavior must preserve those fallback paths unless
|
|
33
|
+
the installation requirements are deliberately changed.
|
|
34
|
+
|
|
35
|
+
## Runtime paths
|
|
36
|
+
|
|
37
|
+
`runtime/paths.js` is the source of truth for application, configuration, data,
|
|
38
|
+
agent-data, log, update, and PID paths. Services must use those exports rather
|
|
39
|
+
than hard-coded home-directory paths.
|
|
40
|
+
|
|
41
|
+
Startup can migrate legacy in-repository `.env`, `data`, and `agent-data`
|
|
42
|
+
locations into the runtime home when the destination is empty.
|
|
43
|
+
|
|
44
|
+
## Backup implications
|
|
45
|
+
|
|
46
|
+
The database and agent-data directories should be backed up as one logical
|
|
47
|
+
state. Integration credentials and session material make backups sensitive.
|
|
48
|
+
Restoring only the database can leave referenced files or editable skills out
|
|
49
|
+
of sync.
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# Recordings and health
|
|
2
|
+
|
|
3
|
+
Recordings and health data are optional features of the NeoAgent clients. Both
|
|
4
|
+
store their processed data on the NeoAgent backend.
|
|
5
|
+
|
|
6
|
+
## Recordings
|
|
7
|
+
|
|
8
|
+
The web client can capture microphone and screen audio. The Android client can
|
|
9
|
+
record microphone audio through a foreground service.
|
|
10
|
+
|
|
11
|
+
Recordings upload in chunks and move through recording, processing, completed,
|
|
12
|
+
failed, or cancelled states. When Deepgram is configured, NeoAgent transcribes
|
|
13
|
+
the audio and stores timestamped segments that can be searched from the
|
|
14
|
+
operator interface or by the agent.
|
|
15
|
+
|
|
16
|
+
Optional recording insights can produce summaries, action items, and event
|
|
17
|
+
suggestions after transcription.
|
|
18
|
+
|
|
19
|
+
The agent can list recordings, inspect a session, and search transcripts. It
|
|
20
|
+
can also extract transcripts and metadata from supported public social-video
|
|
21
|
+
URLs when the required host tool is installed.
|
|
22
|
+
|
|
23
|
+
## Health Connect
|
|
24
|
+
|
|
25
|
+
The Android app can read Health Connect records after the user grants Android
|
|
26
|
+
permissions. Supported data includes steps, heart rate, sleep, exercise, and
|
|
27
|
+
weight.
|
|
28
|
+
|
|
29
|
+
The app uploads granted records to the user's NeoAgent backend. Stored metrics
|
|
30
|
+
appear in **Health** and are available to the owning agent through the health
|
|
31
|
+
tool.
|
|
32
|
+
|
|
33
|
+
Health Connect access can be revoked in Android settings. Revoking access stops
|
|
34
|
+
future reads but does not remove records already uploaded to NeoAgent; delete
|
|
35
|
+
stored server data separately when required.
|
|
36
|
+
|
|
37
|
+
## Privacy
|
|
38
|
+
|
|
39
|
+
Audio, transcripts, and health records are sensitive personal data. Protect the
|
|
40
|
+
server account, use HTTPS for remote clients, restrict agents and integrations,
|
|
41
|
+
and include these data stores in backup and deletion procedures.
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
# Runtime and tool execution
|
|
2
|
+
|
|
3
|
+
The runtime manager selects where browser, shell, desktop, and Android actions
|
|
4
|
+
execute. Tool security is checked before dispatch, independent of the model
|
|
5
|
+
that requested the action.
|
|
6
|
+
|
|
7
|
+
## Browser and shell
|
|
8
|
+
|
|
9
|
+
The default browser and CLI backend is a per-user isolated runtime managed by
|
|
10
|
+
the server. It exposes a guest agent authenticated with a generated token and
|
|
11
|
+
stores artifacts through the server artifact service.
|
|
12
|
+
|
|
13
|
+
Browser settings can select a paired Chrome extension. CLI settings can select
|
|
14
|
+
a paired desktop companion. If the requested paired backend is unavailable,
|
|
15
|
+
the effective backend falls back to the isolated runtime.
|
|
16
|
+
|
|
17
|
+
## Desktop companion
|
|
18
|
+
|
|
19
|
+
Desktop control and selected CLI commands are sent through the authenticated
|
|
20
|
+
desktop companion registry. Non-PTY desktop commands can run through an
|
|
21
|
+
isolated worker process that has no imports from the main server process.
|
|
22
|
+
|
|
23
|
+
This process separation protects server memory; it does not restrict what the
|
|
24
|
+
paired desktop account itself can access.
|
|
25
|
+
|
|
26
|
+
## Android
|
|
27
|
+
|
|
28
|
+
The Android provider is created per user but executes through ADB on the
|
|
29
|
+
NeoAgent host. Device selection, screenshots, UI observation, input, intents,
|
|
30
|
+
application installation, and shell commands therefore operate outside the
|
|
31
|
+
browser and CLI runtime.
|
|
32
|
+
|
|
33
|
+
## Workspace files
|
|
34
|
+
|
|
35
|
+
File tools use server-side path validation and the user's workspace boundary.
|
|
36
|
+
They do not accept arbitrary paths merely because a model generated them.
|
|
37
|
+
|
|
38
|
+
## Tool security hook
|
|
39
|
+
|
|
40
|
+
`before_tool_call` runs before tool execution. The security hook maps sensitive
|
|
41
|
+
tools to categories and applies the user's deny, approval, session allow, or
|
|
42
|
+
persistent allow policy.
|
|
43
|
+
|
|
44
|
+
Approval waits are delivered through Socket.IO. The model receives a structured
|
|
45
|
+
blocked result for denial or timeout and should not treat the tool as executed.
|
|
46
|
+
|
|
47
|
+
## Boundaries not provided
|
|
48
|
+
|
|
49
|
+
The runtime does not provide destination-level network egress filtering.
|
|
50
|
+
Read-only tools can execute without approval. Paired machines and ADB devices
|
|
51
|
+
remain trusted operator resources. See [Security](security-boundaries.md) for
|
|
52
|
+
deployment guidance.
|
|
@@ -1,122 +1,76 @@
|
|
|
1
|
-
# Security
|
|
1
|
+
# Security and permissions
|
|
2
2
|
|
|
3
|
-
NeoAgent
|
|
4
|
-
|
|
5
|
-
|
|
3
|
+
NeoAgent reads untrusted content from websites, email, messages, files,
|
|
4
|
+
integrations, and MCP servers. Any of that content can contain prompt
|
|
5
|
+
injection. Model instructions and injection warnings help, but authorization
|
|
6
|
+
must come from server-enforced boundaries and operator choices.
|
|
6
7
|
|
|
7
|
-
|
|
8
|
-
detection heuristics are defense-in-depth signals for the model. They are not
|
|
9
|
-
authorization boundaries. The boundaries below are enforced in server-side
|
|
10
|
-
code and cannot be bypassed by any model-generated content.
|
|
8
|
+
## Tool permissions
|
|
11
9
|
|
|
12
|
-
|
|
10
|
+
Sensitive tools are grouped into categories for shell commands, file writes,
|
|
11
|
+
privileged Android actions, desktop control, browser evaluation, network
|
|
12
|
+
writes, and skill or widget mutation.
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
Each category can be:
|
|
15
15
|
|
|
16
|
-
|
|
|
16
|
+
| Policy | Result |
|
|
17
17
|
|---|---|
|
|
18
|
-
|
|
|
19
|
-
|
|
|
20
|
-
|
|
|
21
|
-
|
|
|
22
|
-
| Workspace file tools | `read_file`, `write_file`, `edit_file`, directory listing, and file search are restricted by server-side path checks to the user's workspace directory. |
|
|
23
|
-
| Android | `android_shell` and related tools run from the NeoAgent host via ADB against the selected device or emulator. |
|
|
24
|
-
| Official integrations | OAuth credentials remain server-side. Accounts configured as read-only have write tools blocked by server-side access checks. |
|
|
25
|
-
| Runtime API | The container endpoint is published on loopback. A guest token authenticates requests between the server and the runtime. |
|
|
18
|
+
| Deny | The tool does not run |
|
|
19
|
+
| Require approval | The run pauses for a user decision |
|
|
20
|
+
| Allow | The tool runs for the current session |
|
|
21
|
+
| Always allow | The stored policy permits future runs |
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
The default is approval for sensitive categories. Skill and widget mutation is
|
|
24
|
+
denied by default. Users can also select a global default, always-ask, or
|
|
25
|
+
allow-all mode.
|
|
28
26
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
and cannot be removed by agent code:
|
|
27
|
+
Approval prompts time out after 30 seconds. A denied or timed-out call is
|
|
28
|
+
reported to the model as blocked rather than executed.
|
|
32
29
|
|
|
33
|
-
|
|
30
|
+
## Where tools run
|
|
34
31
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
| Category | Tools |
|
|
38
|
-
|---|---|
|
|
39
|
-
| `shell` | `execute_command` |
|
|
40
|
-
| `file_write` | `write_file`, `edit_file` |
|
|
41
|
-
| `android_privileged` | `android_shell`, `android_install_apk`, `android_open_intent`, `android_open_app` |
|
|
42
|
-
| `desktop_control` | `desktop_click`, `desktop_type`, `desktop_press_key`, `desktop_drag`, `desktop_launch_app`, `desktop_observe` |
|
|
43
|
-
| `browser_privileged` | `browser_evaluate` |
|
|
44
|
-
| `network_write` | `http_request` (POST/PUT/PATCH/DELETE only) |
|
|
45
|
-
| `skill_mutation` | `create_skill`, `update_skill`, `delete_skill`, `create_ai_widget`, `update_ai_widget`, `delete_ai_widget` |
|
|
46
|
-
|
|
47
|
-
Read-only tools (`think`, `web_search`, `browser_navigate`, `read_file`, etc.)
|
|
48
|
-
are in a static `SAFE_TOOLS` set and bypass all policy checks with a single
|
|
49
|
-
`Set.has()` call.
|
|
50
|
-
|
|
51
|
-
Per-category policy (stored in `tool_policies` table, one row per user per
|
|
52
|
-
category):
|
|
53
|
-
|
|
54
|
-
| Policy | Effect |
|
|
55
|
-
|---|---|
|
|
56
|
-
| `deny` | Tool call is blocked immediately. The model receives a structured error and can explain the restriction to the user. |
|
|
57
|
-
| `require_approval` | Execution suspends; the user receives a real-time prompt (bottom sheet + optional push notification). Decision options: Deny / Allow once / Allow session / Always allow. |
|
|
58
|
-
| `allow` | Tool runs without interruption. Grants expire at session end. |
|
|
59
|
-
| `allow_always` | Tool runs without interruption. Persisted to DB; never expires. |
|
|
60
|
-
|
|
61
|
-
Default policy for all categories is `require_approval`, except `skill_mutation` which defaults to `deny`.
|
|
62
|
-
|
|
63
|
-
**Priority 10 — approval gate** (`server/services/security/approval_gate_service.js`)
|
|
64
|
-
|
|
65
|
-
When a category policy is `require_approval`, execution is suspended and a
|
|
66
|
-
`tool:approval_required` event is emitted to the user's Socket.IO room. The
|
|
67
|
-
agent loop awaits the decision with a 30-second timeout. If no decision is
|
|
68
|
-
received, the tool is denied and the model is informed of the timeout.
|
|
69
|
-
|
|
70
|
-
### Global security mode
|
|
71
|
-
|
|
72
|
-
Users can override all per-category settings with a global mode (stored in
|
|
73
|
-
`user_settings` under key `tool_security_mode`):
|
|
74
|
-
|
|
75
|
-
| Mode | Behaviour |
|
|
32
|
+
| Capability | Runtime |
|
|
76
33
|
|---|---|
|
|
77
|
-
|
|
|
78
|
-
|
|
|
79
|
-
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
-
|
|
99
|
-
|
|
100
|
-
-
|
|
101
|
-
|
|
102
|
-
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
-
|
|
109
|
-
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
-
|
|
114
|
-
|
|
115
|
-
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
open-ended agentic sessions that browse the web or read email.
|
|
121
|
-
|
|
122
|
-
For vulnerability reporting, see [Security Policy](https://github.com/NeoLabs-Systems/NeoAgent/blob/main/SECURITY.md).
|
|
34
|
+
| Default browser and shell | Per-user isolated runtime managed by the NeoAgent host |
|
|
35
|
+
| Workspace files | Server-enforced user workspace paths |
|
|
36
|
+
| Paired Chrome extension | The paired Chrome profile and machine |
|
|
37
|
+
| Paired desktop companion | The paired desktop account |
|
|
38
|
+
| Android | The selected host-attached ADB device or emulator |
|
|
39
|
+
| Integrations | NeoAgent server using stored account credentials |
|
|
40
|
+
|
|
41
|
+
The paired extension and desktop companion are access grants, not isolation
|
|
42
|
+
boundaries. Android commands do not run in the browser and shell VM.
|
|
43
|
+
|
|
44
|
+
## Account and integration controls
|
|
45
|
+
|
|
46
|
+
- Credentials remain on the server.
|
|
47
|
+
- Official integration accounts can be set to read-only.
|
|
48
|
+
- Users and agents have separate application data and assignments.
|
|
49
|
+
- Messaging allowlists restrict which chats and senders can trigger runs.
|
|
50
|
+
- A guest token authenticates communication with the isolated runtime.
|
|
51
|
+
|
|
52
|
+
## Important limitations
|
|
53
|
+
|
|
54
|
+
- Read-only tools do not require approval by default.
|
|
55
|
+
- Outbound network access is not filtered by destination.
|
|
56
|
+
- A paired browser can access the signed-in state of that Chrome profile.
|
|
57
|
+
- A paired desktop process acts with the permissions of its OS account.
|
|
58
|
+
- ADB can expose broad access to the selected Android device.
|
|
59
|
+
- Prompt-injection detection cannot identify every malicious instruction.
|
|
60
|
+
- Multi-user application isolation does not make NeoAgent suitable for
|
|
61
|
+
mutually hostile tenants on a shared host.
|
|
62
|
+
|
|
63
|
+
## Deployment guidance
|
|
64
|
+
|
|
65
|
+
- Run NeoAgent as a dedicated unprivileged OS account.
|
|
66
|
+
- Use HTTPS for remote access.
|
|
67
|
+
- Keep shell, desktop, Android, and write categories on approval until the
|
|
68
|
+
workflow is understood.
|
|
69
|
+
- Use dedicated Chrome and desktop profiles for paired control.
|
|
70
|
+
- Keep integrations read-only unless writes are required.
|
|
71
|
+
- Do not use allow-all for open-ended runs that browse the web or read messages.
|
|
72
|
+
- Back up secrets and user data securely and test account recovery.
|
|
73
|
+
|
|
74
|
+
The implementation details are documented in
|
|
75
|
+
[Runtime and tool execution](runtime-and-tools.md). Report vulnerabilities
|
|
76
|
+
through [SECURITY.md](https://github.com/NeoLabs-Systems/NeoAgent/blob/main/SECURITY.md).
|
package/docs/skills.md
CHANGED
|
@@ -1,59 +1,46 @@
|
|
|
1
|
-
# Skills
|
|
1
|
+
# Skills and MCP
|
|
2
2
|
|
|
3
|
-
Skills
|
|
3
|
+
Skills and MCP servers both extend the agent, but they solve different
|
|
4
|
+
problems.
|
|
4
5
|
|
|
5
|
-
##
|
|
6
|
+
## Skills
|
|
6
7
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
| `cli.md` | Shell commands in a persistent PTY terminal |
|
|
11
|
-
| `files.md` | Read, write, and search host files |
|
|
12
|
-
| `memory.md` | Store and recall long-term facts |
|
|
13
|
-
| `messaging.md` | Send via Telegram, WhatsApp, Discord, Slack, Matrix, Teams, Google Chat, or webhooks |
|
|
14
|
-
| `system-stats.md` | CPU, memory, and disk usage |
|
|
15
|
-
| `weather.md` | Current weather via wttr.in |
|
|
16
|
-
| `ip-info.md` | Public IP and geolocation |
|
|
17
|
-
| `port-check.md` | Check if a TCP port is open |
|
|
18
|
-
| `ping-host.md` | Ping a host |
|
|
19
|
-
| `process-monitor.md` | List running processes |
|
|
20
|
-
| `disk-usage.md` | Directory size breakdown |
|
|
21
|
-
| `find-large-files.md` | Locate large files |
|
|
22
|
-
| `docker-status.md` | Docker container status |
|
|
23
|
-
| `tail-log.md` | Tail any log file |
|
|
24
|
-
| `news-hackernews.md` | Fetch top Hacker News stories |
|
|
25
|
-
| `qr-code.md` | Generate QR codes |
|
|
26
|
-
| `pdf-toolkit.md` | Inspect, extract, merge, split, compress PDFs |
|
|
27
|
-
| `git-summary.md` | Summarize git status, branches, commits, and diffs |
|
|
28
|
-
| `csv-toolkit.md` | Inspect and transform CSV or TSV files |
|
|
29
|
-
| `markdown-workbench.md` | Clean up, outline, and convert Markdown documents |
|
|
8
|
+
A skill is a Markdown instruction set for a repeatable workflow. Skills can
|
|
9
|
+
teach an agent how to use existing tools, commands, file formats, or local
|
|
10
|
+
conventions. They do not add a new security boundary or bypass tool approvals.
|
|
30
11
|
|
|
31
|
-
|
|
12
|
+
Manage skills in **Skills**. NeoAgent includes a catalog of system, network,
|
|
13
|
+
document, data, creative, and development workflows. Installed skills are
|
|
14
|
+
editable and removable.
|
|
32
15
|
|
|
33
|
-
|
|
16
|
+
Custom skills live in the NeoAgent agent-data directory and are loaded without
|
|
17
|
+
restarting the server. Keep them focused, name the actual tools they require,
|
|
18
|
+
and never store secrets in them.
|
|
34
19
|
|
|
35
|
-
|
|
36
|
-
# My Skill Name
|
|
20
|
+
Use a skill when:
|
|
37
21
|
|
|
38
|
-
|
|
22
|
+
- the workflow repeats;
|
|
23
|
+
- the agent already has the required underlying tools; and
|
|
24
|
+
- written procedure is enough to make the work reliable.
|
|
39
25
|
|
|
40
|
-
##
|
|
26
|
+
## MCP servers
|
|
41
27
|
|
|
42
|
-
|
|
43
|
-
|
|
28
|
+
The [Model Context Protocol](https://modelcontextprotocol.io/) connects NeoAgent
|
|
29
|
+
to external tool servers. Configure servers in **MCP**, choose the supported
|
|
30
|
+
authentication method, and inspect the connection state before assigning the
|
|
31
|
+
tools to an agent.
|
|
44
32
|
|
|
45
|
-
|
|
33
|
+
Use MCP when an external system exposes a maintained MCP server or when a
|
|
34
|
+
capability requires a real API implementation rather than instructions.
|
|
46
35
|
|
|
47
|
-
|
|
36
|
+
## Choosing the right extension
|
|
48
37
|
|
|
49
|
-
|
|
38
|
+
Prefer, in order:
|
|
50
39
|
|
|
51
|
-
|
|
40
|
+
1. An official NeoAgent integration for supported account services
|
|
41
|
+
2. A maintained MCP server
|
|
42
|
+
3. A skill using existing tools
|
|
43
|
+
4. Browser or shell automation when no structured interface exists
|
|
52
44
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
## MCP Tools
|
|
56
|
-
|
|
57
|
-
External tools connect via the [Model Context Protocol](https://modelcontextprotocol.io). Configure MCP servers in **Settings → MCP**. Connected tools appear alongside built-in skills automatically.
|
|
58
|
-
|
|
59
|
-
Use official integrations or MCP tools when they exist — they are more reliable than browser automation or shell scraping and easier to audit.
|
|
45
|
+
Structured integrations are easier to restrict, audit, and keep stable than UI
|
|
46
|
+
automation.
|