superlocalmemory 2.8.2 → 2.8.3

package/README.md

@@ -14,6 +14,7 @@
 </p>
 
 <p align="center">
+  <a href="https://arxiv.org/abs/2603.02240"><img src="https://img.shields.io/badge/arXiv-2603.02240-b31b1b?style=for-the-badge&logo=arxiv&logoColor=white" alt="arXiv"/></a>
   <a href="https://zenodo.org/records/18709670"><img src="https://img.shields.io/badge/DOI-10.5281%2Fzenodo.18709670-blue?style=for-the-badge&logo=doi&logoColor=white" alt="DOI"/></a>
   <a href="https://zenodo.org/records/18709670"><img src="https://img.shields.io/badge/Zenodo-Research_Paper-1682D4?style=for-the-badge&logo=zenodo&logoColor=white" alt="Zenodo"/></a>
   <a href="https://www.researchgate.net/publication/400976053"><img src="https://img.shields.io/badge/ResearchGate-Paper-00CCBB?style=for-the-badge&logo=researchgate&logoColor=white" alt="ResearchGate"/></a>
@@ -55,21 +56,22 @@ The paper presents SuperLocalMemory's architecture for defending against OWASP A
 
 | Platform | Link |
 |----------|------|
+| **arXiv** | [arXiv:2603.02240](https://arxiv.org/abs/2603.02240) |
 | **Zenodo** (CERN) | [DOI: 10.5281/zenodo.18709670](https://zenodo.org/records/18709670) |
 | **ResearchGate** | [Publication Page](https://www.researchgate.net/publication/400976053) |
-| **arXiv** | Submission under review |
 | **Research Portfolio** | [superlocalmemory.com/research](https://superlocalmemory.com/research) |
 
 If you use SuperLocalMemory in your research, please cite:
 
 ```bibtex
-@misc{bhardwaj2026superlocalmemory,
+@article{bhardwaj2026superlocalmemory,
   title={SuperLocalMemory: Privacy-Preserving Multi-Agent Memory with Bayesian Trust Defense Against Memory Poisoning},
   author={Bhardwaj, Varun Pratap},
   year={2026},
-  doi={10.5281/zenodo.18709670},
-  url={https://zenodo.org/records/18709670},
-  note={Preprint}
+  eprint={2603.02240},
+  archivePrefix={arXiv},
+  primaryClass={cs.AI},
+  url={https://arxiv.org/abs/2603.02240}
 }
 ```
 

package/api_server.py

@@ -18,6 +18,8 @@ from fastapi.responses import HTMLResponse, JSONResponse
 from pydantic import BaseModel
 import uvicorn
 
+from security_middleware import SecurityHeadersMiddleware
+
 # Import local modules
 import sys
 sys.path.insert(0, str(Path(__file__).parent / "src"))
@@ -37,6 +39,9 @@ app = FastAPI(
     version="2.0.0"
 )
 
+# Security middleware (add first for proper header application)
+app.add_middleware(SecurityHeadersMiddleware)
+
 # Mount static files
 UI_DIR.mkdir(exist_ok=True)
 app.mount("/static", StaticFiles(directory=str(UI_DIR)), name="static")

package/bin/slm.bat

@@ -49,7 +49,7 @@ exit /b 1
 
 REM Parse command
 if "%1"=="" (
-    echo SuperLocalMemory V2.1.0 - Universal AI Memory System
+    echo SuperLocalMemory - Universal AI Memory System
     echo.
     echo Usage: slm [command] [options]
     echo.
@@ -145,7 +145,7 @@ if exist "%INSTALL_DIR%\memory-profiles.py" (
 exit /b %ERRORLEVEL%
 
 :show_help
-echo SuperLocalMemory V2.1.0 - Universal AI Memory System
+echo SuperLocalMemory - Universal AI Memory System
 echo.
 echo Usage: slm [command] [options]
 echo.
@@ -188,7 +188,7 @@ echo Report issues: https://github.com/varun369/SuperLocalMemoryV2/issues
 exit /b 0
 
 :show_version
-echo SuperLocalMemory V2.1.0-universal
+echo SuperLocalMemory V2.8.3
 echo Copyright (c) 2026 Varun Pratap Bhardwaj
 echo Licensed under MIT License
 echo Repository: https://github.com/varun369/SuperLocalMemoryV2

package/docs/SECURITY-QUICK-REFERENCE.md

@@ -0,0 +1,214 @@
+# Security Quick Reference — For Developers
+
+**Last Updated:** March 4, 2026
+
+## TL;DR — Safe Coding Patterns
+
+### ✅ DO THIS (Safe)
+
+```javascript
+// Safe: Use textContent for plain text
+element.textContent = userContent;
+
+// Safe: Use escapeHtml() before DOM insertion
+element.innerHTML = escapeHtml(userContent);
+
+// Safe: Create elements programmatically
+const div = document.createElement('div');
+div.textContent = userContent;
+parent.appendChild(div);
+```
+
+### ❌ DON'T DO THIS (Dangerous)
+
+```javascript
+// DANGEROUS: Direct assignment with user content
+element.innerHTML = userContent;  // XSS VULNERABLE
+
+// DANGEROUS: Using code evaluation with user input
+// Never use eval, Function constructor, or similar
+
+// DANGEROUS: Inline event handlers with user content
+element.setAttribute('onclick', userCode);  // XSS VULNERABLE
+```
+
+## Security Checklist — Before Committing
+
+- [ ] No direct innerHTML assignments without escapeHtml()
+- [ ] All user content either uses textContent or is escaped
+- [ ] No code evaluation with user input
+- [ ] No inline event handlers with dynamic content
+- [ ] All API endpoints return explicit Content-Type
+- [ ] SQL queries use parameterized statements (never string concatenation)
+- [ ] No secrets in code or config files
+- [ ] Run security tests: pytest tests/test_security_headers.py -v
+
+## Common Patterns
+
+### Rendering User-Generated Content
+
+**Pattern 1: Plain Text Only**
+```javascript
+const contentDiv = document.getElementById('memory-content');
+contentDiv.textContent = memory.content;  // Automatically safe
+```
+
+**Pattern 2: Mixed Content (HTML Structure + User Text)**
+```javascript
+const html = `
+  <div class="memory-card">
+    <h3>${escapeHtml(memory.title)}</h3>
+    <p>${escapeHtml(memory.content)}</p>
+    <span class="badge">${escapeHtml(memory.category)}</span>
+  </div>
+`;
+container.innerHTML = html;
+```
+
+**Pattern 3: Building DOM Programmatically (Most Secure)**
+```javascript
+const card = document.createElement('div');
+card.className = 'memory-card';
+
+const title = document.createElement('h3');
+title.textContent = memory.title;
+
+const content = document.createElement('p');
+content.textContent = memory.content;
+
+card.appendChild(title);
+card.appendChild(content);
+container.appendChild(card);
+```
+
+### FastAPI Routes
+
+**Safe Pattern:**
+```python
+@router.get("/api/memories")
+async def get_memories():
+    # FastAPI automatically sets Content-Type: application/json
+    return {
+        "memories": memories,  # User content here is safe in JSON
+        "total": len(memories)
+    }
+```
+
+**SQL Queries:**
+```python
+# SAFE: Parameterized query
+cursor.execute("SELECT * FROM memories WHERE id = ?", (memory_id,))
+
+# DANGEROUS: String concatenation (SQL injection)
+# Never use f-strings or concatenation for SQL queries
+```
+
+## Testing XSS Protection
+
+```python
+# Test that XSS payloads are handled safely
+def test_xss_payload():
+    payload = "<script>alert('xss')</script>"
+
+    # This should be safe when:
+    # 1. Returned as JSON with Content-Type: application/json
+    # 2. Rendered with escapeHtml() on client
+    # 3. Protected by CSP headers
+
+    response = client.get(f"/api/memory?content={payload}")
+    assert response.headers["Content-Type"] == "application/json"
+    assert response.headers["X-Content-Type-Options"] == "nosniff"
+```
+
+## Security Headers Reference
+
+All responses include these headers automatically via SecurityHeadersMiddleware:
+
+- X-Content-Type-Options: nosniff
+- X-Frame-Options: DENY
+- X-XSS-Protection: 1; mode=block
+- Content-Security-Policy: (comprehensive policy)
+- Referrer-Policy: strict-origin-when-cross-origin
+- Cache-Control: no-store (API endpoints only)
+
+**Don't override these headers** unless you have a specific security reason and understand the implications.
+
+## CORS Configuration
+
+Current allowed origins:
+- http://localhost:8765
+- http://127.0.0.1:8765
+- http://localhost:8417
+- http://127.0.0.1:8417
+
+**To add a new origin:**
+1. Add to the allow_origins list in ui_server.py
+2. Document why it's needed
+3. Never use wildcard * in production
+
+## When to Update Security
+
+### Add New Route
+- [ ] Verify return type has explicit Content-Type
+- [ ] Test with XSS payloads
+- [ ] Add test case to test_security_headers.py
+
+### Add New JavaScript
+- [ ] Use textContent for plain text
+- [ ] Use escapeHtml() for mixed content
+- [ ] Test rendering with XSS payloads
+
+### Modify Security Headers
+- [ ] Document reason in commit message
+- [ ] Update SECURITY.md
+- [ ] Run full security test suite
+- [ ] Consider security implications
+
+## Resources
+
+- **Full Security Policy:** See SECURITY.md
+- **Security Enhancement Details:** .backup/security-enhancement-2026-03-04.md
+- **Security Tests:** tests/test_security_headers.py
+- **Middleware Source:** security_middleware.py
+- **Client-Side Escaping:** ui/app.js (escapeHtml function)
+
+## Quick Test Commands
+
+```bash
+# Run security tests only
+pytest tests/test_security_headers.py -v
+
+# Run all tests
+pytest tests/ -x -q
+
+# Manual verification (browser)
+python3 ui_server.py
+# Open http://localhost:8765
+# DevTools → Network → Check response headers
+```
+
+## Red Flags — Stop and Review
+
+If you see any of these patterns, STOP and review:
+
+- innerHTML with user content (without escaping)
+- Code evaluation functions anywhere
+- String concatenation in SQL queries
+- CORS with wildcard *
+- User input in event handler attributes
+- Disabling CSP or security headers
+- Secrets or API keys in code
+
+## When in Doubt
+
+**Ask these questions:**
+1. Could a user inject a script tag here?
+2. Is this content escaped before rendering?
+3. Does this SQL query use parameters?
+4. Could this header configuration weaken security?
+
+**If unsure:** Use the safest pattern (textContent or programmatic DOM creation).
+
+---
+
+**Remember:** Defense in depth. We have multiple layers (headers, CSP, escaping). Use all of them.

package/install.ps1

@@ -1,10 +1,18 @@
 # ============================================================================
-# SuperLocalMemory V2.2.0 - Windows Installation Script (PowerShell)
+# SuperLocalMemory V2.8.3 - Windows Installation Script (PowerShell)
 # Copyright (c) 2026 Varun Pratap Bhardwaj
 # Licensed under MIT License
 # Repository: https://github.com/varun369/SuperLocalMemoryV2
 # ============================================================================
 
+# IMPORTANT: param() must be the FIRST executable statement in PowerShell
+param(
+    [switch]$NonInteractive,
+    [switch]$Auto,
+    [switch]$Yes,
+    [switch]$y
+)
+
 $ErrorActionPreference = "Stop"
 
 $INSTALL_DIR = Join-Path $env:USERPROFILE ".claude-memory"
@@ -16,14 +24,6 @@ if (-not [Environment]::UserInteractive) {
     $NON_INTERACTIVE = $true
 }
 
-# Parse command line arguments
-param(
-    [switch]$NonInteractive,
-    [switch]$Auto,
-    [switch]$Yes,
-    [switch]$y
-)
-
 if ($NonInteractive -or $Auto -or $Yes -or $y) {
     $NON_INTERACTIVE = $true
 }
@@ -31,7 +31,7 @@ if ($NonInteractive -or $Auto -or $Yes -or $y) {
 # Print banner
 Write-Host ""
 Write-Host "=================================================================="
-Write-Host "  SuperLocalMemory V2.2.0 - Windows Installation                 "
+Write-Host "  SuperLocalMemory V2.8.3 - Windows Installation                 "
 Write-Host "  by Varun Pratap Bhardwaj                                       "
 Write-Host "  https://github.com/varun369/SuperLocalMemoryV2                 "
 Write-Host "=================================================================="
@@ -552,7 +552,7 @@ Write-Host "=================================================================="
 Write-Host "  Optional Features Available                                    "
 Write-Host "=================================================================="
 Write-Host ""
-Write-Host "SuperLocalMemory V2.2.0 includes optional features:"
+Write-Host "SuperLocalMemory includes optional features:"
 Write-Host ""
 Write-Host "  1) Advanced Search (~1.5GB, 5-10 min)"
 Write-Host "     - Semantic search with sentence transformers"

package/mcp_server.py

@@ -203,7 +203,7 @@ _agent_registry = None
 _provenance_tracker = None
 
 
-def get_agent_registry():
+def get_agent_registry() -> Optional[Any]:
     """Get shared AgentRegistry singleton (v2.5+). Returns None if unavailable."""
     global _agent_registry
     if not PROVENANCE_AVAILABLE:
@@ -213,7 +213,7 @@ def get_agent_registry():
     return _agent_registry
 
 
-def get_provenance_tracker():
+def get_provenance_tracker() -> Optional[Any]:
     """Get shared ProvenanceTracker singleton (v2.5+). Returns None if unavailable."""
     global _provenance_tracker
     if not PROVENANCE_AVAILABLE:
@@ -226,7 +226,7 @@ def get_provenance_tracker():
 _trust_scorer = None
 
 
-def get_trust_scorer():
+def get_trust_scorer() -> Optional[Any]:
     """Get shared TrustScorer singleton (v2.6+). Returns None if unavailable."""
     global _trust_scorer
     if not TRUST_AVAILABLE:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "superlocalmemory",
-  "version": "2.8.2",
+  "version": "2.8.3",
   "description": "Your AI Finally Remembers You - Local-first intelligent memory system for AI assistants. Works with Claude, Cursor, Windsurf, VS Code/Copilot, Codex, and 17+ AI tools. 100% local, zero cloud dependencies.",
   "keywords": [
     "ai-memory",
@@ -46,7 +46,7 @@
     "superlocalmemory": "./bin/slm-npm"
   },
   "scripts": {
-    "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; true",
+    "prepack": "node scripts/prepack.js",
     "postinstall": "node scripts/postinstall.js",
     "preuninstall": "node scripts/preuninstall.js",
     "test": "echo \"Run: npm install -g . && slm status\" && exit 0"

package/requirements-core.txt

@@ -1,24 +1,22 @@
-# SuperLocalMemory V2.2.0 - Core Required Dependencies
+# SuperLocalMemory - Core Feature Dependencies
 # ============================================================================
-# These packages are REQUIRED for core features (graph & patterns)
-# Install automatically during setup for smooth user experience
+# Required for knowledge graph and web dashboard.
+# Core memory operations work without these (stdlib only).
 #
-# Download size: ~50MB
-# Installation time: 1-2 minutes
-#
-# Install with: pip3 install -r requirements-core.txt
+# Download size: ~50MB | Install time: 1-2 minutes
+# Install: pip3 install -r requirements-core.txt
 # ============================================================================
 
-# Knowledge Graph - Required for graph_engine.py
-python-igraph>=0.10.0
-leidenalg>=0.9.0
-scikit-learn>=1.3.0  # Required for TF-IDF vectorization
+# Knowledge Graph
+python-igraph>=0.10.0,<2.0.0
+leidenalg>=0.9.0,<1.0.0
+scikit-learn>=1.3.0,<2.0.0
 
-# Web Dashboard - Required for ui_server.py
-fastapi>=0.109.0
-uvicorn[standard]>=0.27.0
-python-multipart>=0.0.6
+# Web Dashboard
+fastapi>=0.109.0,<1.0.0
+uvicorn[standard]>=0.27.0,<1.0.0
+python-multipart>=0.0.6,<1.0.0
 
-# Performance - JSON and caching
-orjson>=3.9.0
-diskcache>=5.6.0
+# Performance
+orjson>=3.9.0,<4.0.0
+diskcache>=5.6.0,<6.0.0

package/requirements-learning.txt

@@ -1,12 +1,12 @@
-# SuperLocalMemory v2.7 - Learning Dependencies
+# SuperLocalMemory - Learning Dependencies
 # ============================================================================
-# Optional but recommended. Enables intelligent pattern learning and
-# personalized recall ranking.
-#
-# If installation fails, core features work normally (v2.6 behavior).
-# To install: pip3 install -r requirements-learning.txt
+# Optional but recommended. Enables intelligent pattern learning
+# and personalized recall ranking.
 #
+# If installation fails, core features work normally.
+# Install: pip3 install -r requirements-learning.txt
 # Download size: ~30MB
 # ============================================================================
-lightgbm>=4.0.0
-scipy>=1.9.0
+
+lightgbm>=4.0.0,<5.0.0
+scipy>=1.9.0,<2.0.0

package/requirements.txt

@@ -1,10 +1,12 @@
-# SuperLocalMemory V2 - Core Requirements
+# SuperLocalMemory - Core Requirements
 # ============================================================================
-# SuperLocalMemory V2.2.0 has ZERO core dependencies
-# All functionality works with Python 3.8+ standard library only
+# Core memory operations (store, recall, search) work with Python 3.8+
+# standard library only — no required dependencies.
 #
-# For optional advanced features, see:
-#   - requirements-full.txt     (all optional features)
-#   - requirements-ui.txt       (web dashboard only)
-#   - requirements-search.txt   (advanced search only)
+# Advanced features (knowledge graph, dashboard, semantic search) require
+# optional dependencies listed in the other requirements files:
+#   - requirements-core.txt     (graph + dashboard)
+#   - requirements-search.txt   (semantic search)
+#   - requirements-learning.txt (ML-based ranking)
+#   - requirements-full.txt     (everything)
 # ============================================================================

package/scripts/prepack.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+/**
+ * SuperLocalMemory - Cross-platform prepack cleanup
+ *
+ * Removes __pycache__ directories and .pyc files before npm pack.
+ * Works on Windows, macOS, and Linux.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function removePycache(dir) {
+    if (!fs.existsSync(dir)) return;
+
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = path.join(dir, entry.name);
+
+        if (entry.isDirectory()) {
+            if (entry.name === '__pycache__' || entry.name === 'node_modules') {
+                if (entry.name === '__pycache__') {
+                    fs.rmSync(fullPath, { recursive: true, force: true });
+                }
+                continue;
+            }
+            removePycache(fullPath);
+        } else if (entry.isFile() && entry.name.endsWith('.pyc')) {
+            fs.unlinkSync(fullPath);
+        }
+    }
+}
+
+removePycache(process.cwd());