superlocalmemory 2.8.1 → 2.8.3

package/docs/SECURITY-QUICK-REFERENCE.md

@@ -0,0 +1,214 @@
+# Security Quick Reference — For Developers
+
+**Last Updated:** March 4, 2026
+
+## TL;DR — Safe Coding Patterns
+
+### ✅ DO THIS (Safe)
+
+```javascript
+// Safe: Use textContent for plain text
+element.textContent = userContent;
+
+// Safe: Use escapeHtml() before DOM insertion
+element.innerHTML = escapeHtml(userContent);
+
+// Safe: Create elements programmatically
+const div = document.createElement('div');
+div.textContent = userContent;
+parent.appendChild(div);
+```
+
+### ❌ DON'T DO THIS (Dangerous)
+
+```javascript
+// DANGEROUS: Direct assignment with user content
+element.innerHTML = userContent;  // XSS VULNERABLE
+
+// DANGEROUS: Using code evaluation with user input
+// Never use eval, Function constructor, or similar
+
+// DANGEROUS: Inline event handlers with user content
+element.setAttribute('onclick', userCode);  // XSS VULNERABLE
+```
+
+## Security Checklist — Before Committing
+
+- [ ] No direct innerHTML assignments without escapeHtml()
+- [ ] All user content either uses textContent or is escaped
+- [ ] No code evaluation with user input
+- [ ] No inline event handlers with dynamic content
+- [ ] All API endpoints return explicit Content-Type
+- [ ] SQL queries use parameterized statements (never string concatenation)
+- [ ] No secrets in code or config files
+- [ ] Run security tests: pytest tests/test_security_headers.py -v
+
+## Common Patterns
+
+### Rendering User-Generated Content
+
+**Pattern 1: Plain Text Only**
+```javascript
+const contentDiv = document.getElementById('memory-content');
+contentDiv.textContent = memory.content;  // Automatically safe
+```
+
+**Pattern 2: Mixed Content (HTML Structure + User Text)**
+```javascript
+const html = `
+  <div class="memory-card">
+    <h3>${escapeHtml(memory.title)}</h3>
+    <p>${escapeHtml(memory.content)}</p>
+    <span class="badge">${escapeHtml(memory.category)}</span>
+  </div>
+`;
+container.innerHTML = html;
+```
+
+**Pattern 3: Building DOM Programmatically (Most Secure)**
+```javascript
+const card = document.createElement('div');
+card.className = 'memory-card';
+
+const title = document.createElement('h3');
+title.textContent = memory.title;
+
+const content = document.createElement('p');
+content.textContent = memory.content;
+
+card.appendChild(title);
+card.appendChild(content);
+container.appendChild(card);
+```
+
+### FastAPI Routes
+
+**Safe Pattern:**
+```python
+@router.get("/api/memories")
+async def get_memories():
+    # FastAPI automatically sets Content-Type: application/json
+    return {
+        "memories": memories,  # User content here is safe in JSON
+        "total": len(memories)
+    }
+```
+
+**SQL Queries:**
+```python
+# SAFE: Parameterized query
+cursor.execute("SELECT * FROM memories WHERE id = ?", (memory_id,))
+
+# DANGEROUS: String concatenation (SQL injection)
+# Never use f-strings or concatenation for SQL queries
+```
+
+## Testing XSS Protection
+
+```python
+# Test that XSS payloads are handled safely
+def test_xss_payload():
+    payload = "<script>alert('xss')</script>"
+
+    # This should be safe when:
+    # 1. Returned as JSON with Content-Type: application/json
+    # 2. Rendered with escapeHtml() on client
+    # 3. Protected by CSP headers
+
+    response = client.get(f"/api/memory?content={payload}")
+    assert response.headers["Content-Type"] == "application/json"
+    assert response.headers["X-Content-Type-Options"] == "nosniff"
+```
+
+## Security Headers Reference
+
+All responses include these headers automatically via SecurityHeadersMiddleware:
+
+- X-Content-Type-Options: nosniff
+- X-Frame-Options: DENY
+- X-XSS-Protection: 1; mode=block
+- Content-Security-Policy: (comprehensive policy)
+- Referrer-Policy: strict-origin-when-cross-origin
+- Cache-Control: no-store (API endpoints only)
+
+**Don't override these headers** unless you have a specific security reason and understand the implications.
+
+## CORS Configuration
+
+Current allowed origins:
+- http://localhost:8765
+- http://127.0.0.1:8765
+- http://localhost:8417
+- http://127.0.0.1:8417
+
+**To add a new origin:**
+1. Add to the allow_origins list in ui_server.py
+2. Document why it's needed
+3. Never use wildcard * in production
+
+## When to Update Security
+
+### Add New Route
+- [ ] Verify return type has explicit Content-Type
+- [ ] Test with XSS payloads
+- [ ] Add test case to test_security_headers.py
+
+### Add New JavaScript
+- [ ] Use textContent for plain text
+- [ ] Use escapeHtml() for mixed content
+- [ ] Test rendering with XSS payloads
+
+### Modify Security Headers
+- [ ] Document reason in commit message
+- [ ] Update SECURITY.md
+- [ ] Run full security test suite
+- [ ] Consider security implications
+
+## Resources
+
+- **Full Security Policy:** See SECURITY.md
+- **Security Enhancement Details:** .backup/security-enhancement-2026-03-04.md
+- **Security Tests:** tests/test_security_headers.py
+- **Middleware Source:** security_middleware.py
+- **Client-Side Escaping:** ui/app.js (escapeHtml function)
+
+## Quick Test Commands
+
+```bash
+# Run security tests only
+pytest tests/test_security_headers.py -v
+
+# Run all tests
+pytest tests/ -x -q
+
+# Manual verification (browser)
+python3 ui_server.py
+# Open http://localhost:8765
+# DevTools → Network → Check response headers
+```
+
+## Red Flags — Stop and Review
+
+If you see any of these patterns, STOP and review:
+
+- innerHTML with user content (without escaping)
+- Code evaluation functions anywhere
+- String concatenation in SQL queries
+- CORS with wildcard *
+- User input in event handler attributes
+- Disabling CSP or security headers
+- Secrets or API keys in code
+
+## When in Doubt
+
+**Ask these questions:**
+1. Could a user inject a script tag here?
+2. Is this content escaped before rendering?
+3. Does this SQL query use parameters?
+4. Could this header configuration weaken security?
+
+**If unsure:** Use the safest pattern (textContent or programmatic DOM creation).
+
+---
+
+**Remember:** Defense in depth. We have multiple layers (headers, CSP, escaping). Use all of them.

package/docs/UNIVERSAL-INTEGRATION.md

@@ -33,7 +33,7 @@ After installation, restart any IDE you want to use SuperLocalMemory with.
 
 ### Step 3: Start Using It
 - **In Cursor/Windsurf:** Just talk naturally - "Remember that we use FastAPI for APIs"
-- **In Claude Code:** Use `/superlocalmemoryv2:remember` or the new `slm` commands
+- **In Claude Code:** Use `/superlocalmemoryv2-remember` or the new `slm` commands
 - **In Terminal:** Use `slm remember "content"`
 
 ---
@@ -48,11 +48,11 @@ After installation, restart any IDE you want to use SuperLocalMemory with.
 
 **Usage:**
 ```
-/superlocalmemoryv2:remember "Use FastAPI for REST APIs"
-/superlocalmemoryv2:recall "FastAPI"
-/superlocalmemoryv2:list
-/superlocalmemoryv2:status
-/superlocalmemoryv2:profile list
+/superlocalmemoryv2-remember "Use FastAPI for REST APIs"
+/superlocalmemoryv2-recall "FastAPI"
+/superlocalmemoryv2-list
+/superlocalmemoryv2-status
+/superlocalmemoryv2-profile list
 ```
 
 **OR use the simpler CLI:**
@@ -169,7 +169,7 @@ Continue's AI can also call memory tools directly.
 slashCommands:
   - name: "slm-remember"
     description: "Save to SuperLocalMemory"
-    run: "~/.claude-memory/bin/superlocalmemoryv2:remember \"{{input}}\""
+    run: "~/.claude-memory/bin/superlocalmemoryv2-remember \"{{input}}\""
 
 # For MCP tools
 contextProviders:
@@ -293,7 +293,7 @@ ChatGPT: [calls fetch(42)]
 
 **Commands Installed:**
 - `slm` - Main command
-- All original `superlocalmemoryv2:*` commands still work
+- All original `superlocalmemoryv2-*` commands still work
 
 **Usage:**
 ```bash
@@ -335,7 +335,7 @@ All access methods use the **SAME local SQLite database**:
 │            ACCESS METHODS                   │
 ├─────────────────────────────────────────────┤
 │ TIER 1: Skills                              │
-│  • Claude Code: /superlocalmemoryv2:*       │
+│  • Claude Code: /superlocalmemoryv2-*       │
 │  • Continue: /slm-*                         │
 │  • Cody: /slm-*                            │
 ├─────────────────────────────────────────────┤
@@ -359,7 +359,7 @@ All access methods use the **SAME local SQLite database**:
          └───────────────────┘
 ```
 
-**Key Point:** No matter which method you use, all data goes to the same place. You can use `/superlocalmemoryv2:remember` in Claude Code, then `slm recall` in terminal, and see the same memories.
+**Key Point:** No matter which method you use, all data goes to the same place. You can use `/superlocalmemoryv2-remember` in Claude Code, then `slm recall` in terminal, and see the same memories.
 
 ---
 
@@ -453,11 +453,11 @@ python3 ~/.claude-memory/mcp_server.py --transport http --port 8001
 
 | Old Command | Still Works? | New Alternative |
 |-------------|--------------|-----------------|
-| `superlocalmemoryv2:remember` | ✅ Yes | `slm remember` |
-| `superlocalmemoryv2:recall` | ✅ Yes | `slm recall` |
-| `superlocalmemoryv2:list` | ✅ Yes | `slm list` |
-| `superlocalmemoryv2:status` | ✅ Yes | `slm status` |
-| `superlocalmemoryv2:profile` | ✅ Yes | `slm profile` |
+| `superlocalmemoryv2-remember` | ✅ Yes | `slm remember` |
+| `superlocalmemoryv2-recall` | ✅ Yes | `slm recall` |
+| `superlocalmemoryv2-list` | ✅ Yes | `slm list` |
+| `superlocalmemoryv2-status` | ✅ Yes | `slm status` |
+| `superlocalmemoryv2-profile` | ✅ Yes | `slm profile` |
 
 **Nothing breaks. Everything gains new capabilities.**
 

package/install.ps1

@@ -1,10 +1,18 @@
 # ============================================================================
-# SuperLocalMemory V2.2.0 - Windows Installation Script (PowerShell)
+# SuperLocalMemory V2.8.3 - Windows Installation Script (PowerShell)
 # Copyright (c) 2026 Varun Pratap Bhardwaj
 # Licensed under MIT License
 # Repository: https://github.com/varun369/SuperLocalMemoryV2
 # ============================================================================
 
+# IMPORTANT: param() must be the FIRST executable statement in PowerShell
+param(
+    [switch]$NonInteractive,
+    [switch]$Auto,
+    [switch]$Yes,
+    [switch]$y
+)
+
 $ErrorActionPreference = "Stop"
 
 $INSTALL_DIR = Join-Path $env:USERPROFILE ".claude-memory"
@@ -16,14 +24,6 @@ if (-not [Environment]::UserInteractive) {
     $NON_INTERACTIVE = $true
 }
 
-# Parse command line arguments
-param(
-    [switch]$NonInteractive,
-    [switch]$Auto,
-    [switch]$Yes,
-    [switch]$y
-)
-
 if ($NonInteractive -or $Auto -or $Yes -or $y) {
     $NON_INTERACTIVE = $true
 }
@@ -31,7 +31,7 @@ if ($NonInteractive -or $Auto -or $Yes -or $y) {
 # Print banner
 Write-Host ""
 Write-Host "=================================================================="
-Write-Host "  SuperLocalMemory V2.2.0 - Windows Installation                 "
+Write-Host "  SuperLocalMemory V2.8.3 - Windows Installation                 "
 Write-Host "  by Varun Pratap Bhardwaj                                       "
 Write-Host "  https://github.com/varun369/SuperLocalMemoryV2                 "
 Write-Host "=================================================================="
@@ -552,7 +552,7 @@ Write-Host "=================================================================="
 Write-Host "  Optional Features Available                                    "
 Write-Host "=================================================================="
 Write-Host ""
-Write-Host "SuperLocalMemory V2.2.0 includes optional features:"
+Write-Host "SuperLocalMemory includes optional features:"
 Write-Host ""
 Write-Host "  1) Advanced Search (~1.5GB, 5-10 min)"
 Write-Host "     - Semantic search with sentence transformers"

package/install.sh

@@ -848,10 +848,10 @@ echo ""
 echo "Available commands (two ways to use them):"
 echo ""
 echo "OPTION 1: Original commands (still work):"
-echo "  superlocalmemoryv2:remember  - Save a new memory"
-echo "  superlocalmemoryv2:recall    - Search memories"
-echo "  superlocalmemoryv2:list      - List recent memories"
-echo "  superlocalmemoryv2:status    - Check system status"
+echo "  superlocalmemoryv2-remember  - Save a new memory"
+echo "  superlocalmemoryv2-recall    - Search memories"
+echo "  superlocalmemoryv2-list      - List recent memories"
+echo "  superlocalmemoryv2-status    - Check system status"
 echo ""
 echo "OPTION 2: New simple commands:"
 echo "  slm remember <content>       - Save (simpler syntax)"

package/mcp_server.py

@@ -203,7 +203,7 @@ _agent_registry = None
 _provenance_tracker = None
 
 
-def get_agent_registry():
+def get_agent_registry() -> Optional[Any]:
     """Get shared AgentRegistry singleton (v2.5+). Returns None if unavailable."""
     global _agent_registry
     if not PROVENANCE_AVAILABLE:
@@ -213,7 +213,7 @@ def get_agent_registry():
     return _agent_registry
 
 
-def get_provenance_tracker():
+def get_provenance_tracker() -> Optional[Any]:
     """Get shared ProvenanceTracker singleton (v2.5+). Returns None if unavailable."""
     global _provenance_tracker
     if not PROVENANCE_AVAILABLE:
@@ -226,7 +226,7 @@ def get_provenance_tracker():
 _trust_scorer = None
 
 
-def get_trust_scorer():
+def get_trust_scorer() -> Optional[Any]:
     """Get shared TrustScorer singleton (v2.6+). Returns None if unavailable."""
     global _trust_scorer
     if not TRUST_AVAILABLE:
@@ -609,7 +609,7 @@ async def remember(
     """
     Save content to SuperLocalMemory with intelligent indexing.
 
-    This calls the SAME backend as /superlocalmemoryv2:remember skill.
+    This calls the SAME backend as /superlocalmemoryv2-remember skill.
     All memories are stored in the same local SQLite database.
 
     Args:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "superlocalmemory",
-  "version": "2.8.1",
+  "version": "2.8.3",
   "description": "Your AI Finally Remembers You - Local-first intelligent memory system for AI assistants. Works with Claude, Cursor, Windsurf, VS Code/Copilot, Codex, and 17+ AI tools. 100% local, zero cloud dependencies.",
   "keywords": [
     "ai-memory",
@@ -22,7 +22,9 @@
     "chatgpt",
     "chatgpt-connector",
     "openai",
-    "deep-research"
+    "deep-research",
+    "qualixar",
+    "agent-development-platform"
   ],
   "author": {
     "name": "Varun Pratap Bhardwaj",
@@ -44,7 +46,7 @@
     "superlocalmemory": "./bin/slm-npm"
   },
   "scripts": {
-    "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; true",
+    "prepack": "node scripts/prepack.js",
     "postinstall": "node scripts/postinstall.js",
     "preuninstall": "node scripts/preuninstall.js",
     "test": "echo \"Run: npm install -g . && slm status\" && exit 0"

package/requirements-core.txt

@@ -1,24 +1,22 @@
-# SuperLocalMemory V2.2.0 - Core Required Dependencies
+# SuperLocalMemory - Core Feature Dependencies
 # ============================================================================
-# These packages are REQUIRED for core features (graph & patterns)
-# Install automatically during setup for smooth user experience
+# Required for knowledge graph and web dashboard.
+# Core memory operations work without these (stdlib only).
 #
-# Download size: ~50MB
-# Installation time: 1-2 minutes
-#
-# Install with: pip3 install -r requirements-core.txt
+# Download size: ~50MB | Install time: 1-2 minutes
+# Install: pip3 install -r requirements-core.txt
 # ============================================================================
 
-# Knowledge Graph - Required for graph_engine.py
-python-igraph>=0.10.0
-leidenalg>=0.9.0
-scikit-learn>=1.3.0  # Required for TF-IDF vectorization
+# Knowledge Graph
+python-igraph>=0.10.0,<2.0.0
+leidenalg>=0.9.0,<1.0.0
+scikit-learn>=1.3.0,<2.0.0
 
-# Web Dashboard - Required for ui_server.py
-fastapi>=0.109.0
-uvicorn[standard]>=0.27.0
-python-multipart>=0.0.6
+# Web Dashboard
+fastapi>=0.109.0,<1.0.0
+uvicorn[standard]>=0.27.0,<1.0.0
+python-multipart>=0.0.6,<1.0.0
 
-# Performance - JSON and caching
-orjson>=3.9.0
-diskcache>=5.6.0
+# Performance
+orjson>=3.9.0,<4.0.0
+diskcache>=5.6.0,<6.0.0

package/requirements-learning.txt

@@ -1,12 +1,12 @@
-# SuperLocalMemory v2.7 - Learning Dependencies
+# SuperLocalMemory - Learning Dependencies
 # ============================================================================
-# Optional but recommended. Enables intelligent pattern learning and
-# personalized recall ranking.
-#
-# If installation fails, core features work normally (v2.6 behavior).
-# To install: pip3 install -r requirements-learning.txt
+# Optional but recommended. Enables intelligent pattern learning
+# and personalized recall ranking.
 #
+# If installation fails, core features work normally.
+# Install: pip3 install -r requirements-learning.txt
 # Download size: ~30MB
 # ============================================================================
-lightgbm>=4.0.0
-scipy>=1.9.0
+
+lightgbm>=4.0.0,<5.0.0
+scipy>=1.9.0,<2.0.0

package/requirements.txt

@@ -1,10 +1,12 @@
-# SuperLocalMemory V2 - Core Requirements
+# SuperLocalMemory - Core Requirements
 # ============================================================================
-# SuperLocalMemory V2.2.0 has ZERO core dependencies
-# All functionality works with Python 3.8+ standard library only
+# Core memory operations (store, recall, search) work with Python 3.8+
+# standard library only — no required dependencies.
 #
-# For optional advanced features, see:
-#   - requirements-full.txt     (all optional features)
-#   - requirements-ui.txt       (web dashboard only)
-#   - requirements-search.txt   (advanced search only)
+# Advanced features (knowledge graph, dashboard, semantic search) require
+# optional dependencies listed in the other requirements files:
+#   - requirements-core.txt     (graph + dashboard)
+#   - requirements-search.txt   (semantic search)
+#   - requirements-learning.txt (ML-based ranking)
+#   - requirements-full.txt     (everything)
 # ============================================================================

package/scripts/prepack.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+/**
+ * SuperLocalMemory - Cross-platform prepack cleanup
+ *
+ * Removes __pycache__ directories and .pyc files before npm pack.
+ * Works on Windows, macOS, and Linux.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function removePycache(dir) {
+    if (!fs.existsSync(dir)) return;
+
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+
+        if (entry.isDirectory()) {
+            if (entry.name === '__pycache__' || entry.name === 'node_modules') {
+                if (entry.name === '__pycache__') {
+                    fs.rmSync(fullPath, { recursive: true, force: true });
+                }
+                continue;
+            }
+            removePycache(fullPath);
+        } else if (entry.isFile() && entry.name.endsWith('.pyc')) {
+            fs.unlinkSync(fullPath);
+        }
+    }
+}
+
+removePycache(process.cwd());